User impersonation by Identity Protection alerts

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

This detection focuses on identifying user-related events involving IAM roles, groups, user access, and password changes. It examines instances where the user's IP address matches and alerts generated by Identity Protection share the same IP address. The analysis occurs within a time window of 1 hour, helping to flag potential cases of user impersonation.

Attribute	Value
Type	Analytic Rule
Solution	Multi Cloud Attack Coverage Essentials - Resource Abuse
ID	11c3d541-5fa5-49df-8218-d1c98584473b
Severity	Medium
Kind	Scheduled
Tactics	PrivilegeEscalation
Techniques	T1134
Required Connectors	AWS, AzureActiveDirectoryIdentityProtection
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
AWSCloudTrail	EventName in "AddUserToGroup,ChangePassword,CreateAccessKey,CreateGroup,CreateRole,CreateUser,CreateVirtualMFADevice,DeleteAccessKey,DeleteGroup,DeleteLoginProfile,DeleteRole,DeleteUser,RemoveUserFromGroup"	✓	✓	?
SecurityAlert		✓	✗	?

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Analytic Rules · Back to Multi Cloud Attack Coverage Essentials - Resource Abuse