ConsoleLogin event correlates privileged policy applying to a role

Docs > Datadog Security > OOTB Rules > ConsoleLogin event correlates privileged policy applying to a role

aws

Classification:

attack

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Correlate a brute force login with a privileged policy being applied to a role.

Strategy

Correlate the Potential brute force attack on AWS ConsoleLogin and cloudtrail AWS IAM AdministratorAccess policy was applied to a role signals based on the ARN: {{@userIdentity.arn}}.

Triage and response

Set signal triage state to Under Review.
Determine if the brute force attack was successful.
- If the login was not legitimate:
  - Revert the privileged policy change
  - Rotate credentials on the brute forced account
  - Enable MFA if it is not already
- If the login was legitimate:
  - Triage the signal as a false positive