heroui logo

AWS IAM User Console Login from Multiple Geolocations

Elastic Detection Rules

View Source
Summary
This rule detects anomalous AWS IAM Console sign-ins by aggregating successful ConsoleLogin events from AWS CloudTrail for each IAM user over a lookback window of approximately 65 minutes (now-65m) and a 10-minute interval. It triggers when logins originate from two or more distinct countries within that window, identified via source.geo.country_iso_code values. The underlying premise is that legitimate users are unlikely to physically appear in multiple countries in a short time, so multi-geography sign-ins suggest credential or session compromise, such as adversary-in-the-middle (AiTM) phishing where an attacker relays a live MFA session. The detection is the CloudTrail-native analog of impossible-travel sign-ins, and maps to MITRE ATT&CK techniques T1078.004 (Cloud Accounts) under Initial Access and T1539 (Steal Web Session Cookie) under Credential Access. The rule uses fields such as aws.cloudtrail.user_identity.arn, cloud.account.id, source.geo.country_iso_code, source.ip, and timestamp to compute timestamp_min, timestamp_max, and distinct geo counts. If two or more distinct countries are observed for the same user and account, an alert is generated with a medium severity and risk score of 47. The rule includes references to AWS sign-in events and a remediation path emphasizing session revocation, credential resets, MFA rotation, and migrating to phishing-resistant MFA (FIDO2/passkeys) to defeat AiTM relays.
Categories
  • Cloud
  • Identity Management
  • AWS
Data Sources
  • Cloud Service
  • Logon Session
ATT&CK Techniques
  • T1078
  • T1078.004
  • T1539
Created: 2026-06-29