---
title: Potential brute force attack on AWS ConsoleLogin
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Potential brute force attack on AWS
  ConsoleLogin
---

# Potential brute force attack on AWS ConsoleLogin
Classification:attackTactic:[TA0006-credential-access](https://attack.mitre.org/tactics/TA0006)Technique:[T1110-brute-force](https://attack.mitre.org/techniques/T1110) 
## Goal{% #goal %}

Detect when a user is a victim of an Account Take Over (ATO) by a brute force attack.

## Strategy{% #strategy %}

This rule monitors CloudTrail and detects when any `@evt.name` has a value of `Console Login`, and `@responseElements.ConsoleLogin` has a value of `Failure`.

## Triage and response{% #triage-and-response %}

1. Determine if the user logged in with 2FA.
1. Reach out to the user and ensure the login was legitimate.

## Changelog{% #changelog %}

- 17 March 2022 - Updated rule query.
- 10 February 2023 - Updated rule query.
- 10 July 2023 - Updated group by fields.