Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This query aims to detect instances of successful AWS console logins that align with high-severity credential access or Initial Access alerts generated by Defender Products. Specifically, it focuses on scenarios where the successful login takes place within a 60-minute timeframe of the high-severity alert. The login is considered relevant if it originates from an IP address associated with potential attackers.
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Multi Cloud Attack Coverage Essentials - Resource Abuse |
| ID | b51fe620-62ad-4ed2-9d40-5c97c0a8231f |
| Severity | Medium |
| Kind | Scheduled |
| Tactics | InitialAccess, CredentialAccess |
| Techniques | T1078 |
| Required Connectors | OfficeATP, AWS, MicrosoftDefenderAdvancedThreatProtection, AzureActiveDirectoryIdentityProtection, BehaviorAnalytics, MicrosoftThreatProtection |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
AWSCloudTrail |
EventName == "ConsoleLogin" |
✓ | ✓ | ? |
IdentityInfo |
✓ | ✗ | ? | |
SecurityAlert |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
↑ Back to Analytic Rules · Back to Multi Cloud Attack Coverage Essentials - Resource Abuse