Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This query aims to detect instances of successful AWS console login events followed by multiple failed app logons alerts generated by Microsoft Cloud App Security or password spray alerts generated by Defender Products. Specifically, it focuses on scenarios where the successful login takes place within a 60-minute timeframe of the high-severity alert. The login is considered relevant if it originates from an IP address associated with potential attackers.
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Multi Cloud Attack Coverage Essentials - Resource Abuse |
| ID | 188db479-d50a-4a9c-a041-644bae347d1f |
| Severity | Medium |
| Kind | Scheduled |
| Tactics | InitialAccess, CredentialAccess |
| Techniques | T1110, T1078 |
| Required Connectors | AWS, MicrosoftDefenderAdvancedThreatProtection, AzureActiveDirectoryIdentityProtection, BehaviorAnalytics, MicrosoftThreatProtection |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
AWSCloudTrail |
EventName == "ConsoleLogin" |
✓ | ✓ | ? |
IdentityInfo |
✓ | ✗ | ? | |
SecurityAlert |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
↑ Back to Analytic Rules · Back to Multi Cloud Attack Coverage Essentials - Resource Abuse