Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
This query aims to detect instances of successful AWS console login events followed by multiple failed app logons alerts generated by Microsoft Cloud App Security or password spray alerts generated by Defender Products. Specifically, it focuses on scenarios where the successful login takes place within a 60-minute timeframe of the high-severity alert. The login is considered relevant if it originates from an IP address associated with potential attackers.
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Multi Cloud Attack Coverage Essentials - Resource Abuse |
| ID | 188db479-d50a-4a9c-a041-644bae347d1f |
| Severity | Medium |
| Kind | Scheduled |
| Tactics | InitialAccess, CredentialAccess |
| Techniques | T1110, T1078 |
| Required Connectors | AWS, MicrosoftDefenderAdvancedThreatProtection, AzureActiveDirectoryIdentityProtection, BehaviorAnalytics, MicrosoftThreatProtection |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
AWSCloudTrail |
EventName == "ConsoleLogin" |
✓ | ✓ | ✓ |
IdentityInfo |
✓ | ✗ | ? | |
SecurityAlert |
AlertName in "Multiple failed user log on attempts to an app,Password Spray"ProductName in "Azure Active Directory Identity Protection,Microsoft Cloud App Security" |
✓ | ✗ | ✓ |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
↑ Back to Analytic Rules · Back to Multi Cloud Attack Coverage Essentials - Resource Abuse