Classification:
compliance
Framework:
cis-aws
Control:
cis-3.6
Detect when a user is a victim of an Account Take Over (ATO) by a brute force attack.
This rule monitors CloudTrail and detects when any @evt.name
has a value of Console Login
, and @responseElements.ConsoleLogin
has a value of Failure
.