github-actions[bot]
commented
2 weeks ago Welcome @thuya-hacktilizer :wave:
It looks like this is your first issue on the Sigma rules repository!
The following repository accepts issues related to false positives or 'rule ideas'.
If you're reporting an issue related to the pySigma library please consider submitting it here
If you're reporting an issue related to the deprecated sigmac library please consider submitting it here
Thanks for taking the time to open this issue, and welcome to the Sigma community! :smiley:
The rule will detect IAM user console login without MFA.
title: AWS IAM user login without MFA id: - status: stable description: IAM user login without MFA which will break security as well as compliance. references:
Public References / Exampel Event Log
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html
{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "EXAMPLE6E4XEGITWATV6R", "arn": "arn:aws:iam::999999999999:user/Anaya", "accountId": "999999999999", "userName": "Anaya" }, "eventTime": "2023-07-19T21:44:40Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0", "requestParameters": null, "responseElements": { "ConsoleLogin": "Success" }, "additionalEventData": { "LoginTo": "https://console.aws.amazon.com/console/home?hashArgs=%23&isauthcode=true&state=hashArgsFromTB_us-east-1_examplee9aba7f8", "MobileVersion": "No", "MFAUsed": "No" }, "eventID": "e1bf1000-86a4-4a78-81d7-EXAMPLE83102", "readOnly": false, "eventType": "AwsConsoleSignIn", "managementEvent": true, "recipientAccountId": "999999999999", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "us-east-1.signin.aws.amazon.com" } }