Brute forced ConsoleLogin event correlates with an assumed role event

aws

Classification:

attack

Goal

Correlate a bruteforce login with a user attempting to assume an anomalous number of roles.

Strategy

Correlate the Potential brute force attack on AWS ConsoleLogin and Anomalous number of assumed roles from user signals based on the ARN: {{@userIdentity.arn}}.

Triage and response

  1. Set signal triage state to Under Review.
  2. Determine if the brute force attack was successful.
    • If the login was not legitimate:
      • Investigate the user using the User Investigation Dashboard
      • Rotate credentials on the brute forced account
      • Enable MFA if it is not already enabled
    • If the login was legitimate:
      • Triage the signal as a false positive