...
| Expand | ||
|---|---|---|
| ||
A successful root account login was detected. This account should only be used to create initial IAM users or perform tasks only available to the root user. Using this account is against AWS security best practices. This detection filters by cloudtrail events with ConsoleLogin as eventName and userName equal to root. Source table → |
| Expand | ||
|---|---|---|
| ||
Detects if a login has been performed by a user which has been created in the last 24 hours and checks if the user creation and the login has been performed from the same IP. This behaviour could indicate a privilege escalation attempt. This alert filters ConsoleLogin cloudtrail events that come from the signing service. The uses a subquery in order to check login profile creations during the 24 hours prior to the login using the IP in order to correlate events. Source table → |
AWS CloudWatch alerts
| Expand | ||
|---|---|---|
| ||
This alert detects actions to get STS session tokens, which can be used to move laterally or escalate privileges in AWS. Source table → |
...