aws-cis-benchmark-console-auth-fail Scenario

« aws-cis-benchmark-console-auth-fail »
v0.3 by crowdsecurity
Attack scenarioservice:awsspoofable:0MITRE:T1110confidence:3

Detect AWS console authentication failure

Installation

cscli scenarios install crowdsecurity/aws-cis-benchmark-console-auth-fail

Description

Detects AWS Console authentication failures based on cloudtrail logs (Section 4.6 of CIS AWS Foundation Benchmark 1.4.0 ).

YAML Configuration

1type: trigger
2name: crowdsecurity/aws-cis-benchmark-console-auth-fail
3description: "Detect AWS console authentication failure"
4filter: |
5  evt.Meta.log_type == 'aws-cloudtrail' && 
6  evt.Meta.event_name == "ConsoleLogin" && 
7  evt.Unmarshaled.cloudtrail.errorMessage == "Failed authentication"
8labels:
9  confidence: 3
10  spoofable: 0
11  classification:
12    - attack.T1110
13  behavior: "cloud:bruteforce"
14  label: "AWS bruteforce"
15  service: aws
16  remediation: false
17

Hub configuration

« aws-cis-benchmark-console-auth-fail »v0.3 by crowdsecurityAttack scenarioservice:awsspoofable:0MITRE:T1110confidence:3

« aws-cis-benchmark-console-auth-fail »
v0.3 by crowdsecurity
Attack scenarioservice:awsspoofable:0MITRE:T1110confidence:3