id: 910124df-913c-47e3-a7cd-29e1643fa55e name: Failed AWS Console logons but success logon to AzureAD description: | 'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to AWS Console. Uses that list to identify any successful Microsoft Entra ID logons from these IPs within the same timeframe.' severity: Medium requiredDataConnectors: - connectorId: AzureActiveDirectory dataTypes: - SigninLogs - connectorId: AWS dataTypes: - AWSCloudTrail queryFrequency: 1d queryPeriod: 1d triggerOperator: gt triggerThreshold: 0 tactics: - InitialAccess - CredentialAccess relevantTechniques: - T1078 - T1110 query: | //Adjust this threshold to fit environment let signin_threshold = 5; //Make a list of IPs with failed AWS console logins let aws_fails = AWSCloudTrail | where EventName == "ConsoleLogin" | extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) | where LoginResult != "Success" | where SourceIpAddress != "127.0.0.1" | summarize count() by SourceIpAddress | where count_ > signin_threshold | summarize make_set(SourceIpAddress); //See if any of those IPs have sucessfully logged into Azure AD. SigninLogs | where ResultType in ("0", "50125", "50140") | where IPAddress in (aws_fails) | extend Reason = "Multiple failed AWS Console logins from IP address" | extend timestamp = TimeGenerated, AccountName = tostring(split(UserPrincipalName, "@")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, "@")[1]) entityMappings: - entityType: Account fieldMappings: - identifier: FullName columnName: UserPrincipalName - identifier: Name columnName: AccountName - identifier: UPNSuffix columnName: AccountUPNSuffix - entityType: Account fieldMappings: - identifier: AadUserId columnName: UserId - entityType: IP fieldMappings: - identifier: Address columnName: IPAddress version: 1.2.1 kind: Scheduled metadata: source: kind: Community author: name: Microsoft Security Research support: tier: Community categories: domains: [ "Security - Others", "Identity" ]