All Apps and Add-ons

Why does a failed AWS Console login still map to a successful login?

dareniles
Engager

Hi guys,

So I'm consuming AWS Cloudtrail events and am particaulrly interested in failed logins to the AWS console.

the correct event is enventName=ConsoleLogin but even when the event has failed it still gets a success action.

Here's the event:
{ [-]
additionalEventData: { [+]
}
awsRegion: us-east-1
errorMessage: Failed authentication
eventID: xxxxxxxxxxxxxxxxxxxxxxx
eventName: ConsoleLogin
eventSource: signin.amazonaws.com
eventTime: 2016-06-13T10:52:17Z
eventType: AwsConsoleSignIn
eventVersion: 1.02
recipientAccountId: 8348xxxxxxxxxxxxx
requestParameters: null
responseElements: { [-]
ConsoleLogin: Failure
}
sourceIPAddress: xxxxxxxxxxxxxxxx
userAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36
userIdentity: { [+]
}
}

The event action is still set to sucess.

I traced it to the lookup aws-cloudtrail-action-status.csv but that seems to be expecting a errorcode - which isn't populated. It needs to read responseElements.ConsoleLogin in order to determine success.

Sample of the lookup:
eventName,errorCode,action,status

ConsoleLogin,success,success,success
ConsoleLogin,*,failure,failure

Could you give us a steer on how to resolve?

Thanks

0 Karma
1 Solution

Jeremiah
Motivator

Maybe you can alter the EVAL-errorCode statement in props.conf (in the TA), so that the errorCode value is populated for Console Login failures?

EVAL-errorCode = if('responseElements.ConsoleLogin'=="Failure", "failure", coalesce('errorCode',"success"))

View solution in original post

Jeremiah
Motivator

Maybe you can alter the EVAL-errorCode statement in props.conf (in the TA), so that the errorCode value is populated for Console Login failures?

EVAL-errorCode = if('responseElements.ConsoleLogin'=="Failure", "failure", coalesce('errorCode',"success"))

dareniles
Engager

Perfect - issue resolved.

Thanks

0 Karma

Jeremiah
Motivator

I should add-- you'll want to add this to a local/props.conf so the change isn't overwritten when you upgrade the TA.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...