All Apps and Add-ons

Why does a failed AWS Console login still map to a successful login?

Engager

Hi guys,

So I'm consuming AWS Cloudtrail events and am particaulrly interested in failed logins to the AWS console.

the correct event is enventName=ConsoleLogin but even when the event has failed it still gets a success action.

Here's the event:
{ [-]
additionalEventData: { [+]
}
awsRegion: us-east-1
errorMessage: Failed authentication
eventID: xxxxxxxxxxxxxxxxxxxxxxx
eventName: ConsoleLogin
eventSource: signin.amazonaws.com
eventTime: 2016-06-13T10:52:17Z
eventType: AwsConsoleSignIn
eventVersion: 1.02
recipientAccountId: 8348xxxxxxxxxxxxx
requestParameters: null
responseElements: { [-]
ConsoleLogin: Failure
}
sourceIPAddress: xxxxxxxxxxxxxxxx
userAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36
userIdentity: { [+]
}
}

The event action is still set to sucess.

I traced it to the lookup aws-cloudtrail-action-status.csv but that seems to be expecting a errorcode - which isn't populated. It needs to read responseElements.ConsoleLogin in order to determine success.

Sample of the lookup:
eventName,errorCode,action,status

ConsoleLogin,success,success,success
ConsoleLogin,*,failure,failure

Could you give us a steer on how to resolve?

Thanks

0 Karma
1 Solution

Motivator

Maybe you can alter the EVAL-errorCode statement in props.conf (in the TA), so that the errorCode value is populated for Console Login failures?

EVAL-errorCode = if('responseElements.ConsoleLogin'=="Failure", "failure", coalesce('errorCode',"success"))

View solution in original post

Motivator

Maybe you can alter the EVAL-errorCode statement in props.conf (in the TA), so that the errorCode value is populated for Console Login failures?

EVAL-errorCode = if('responseElements.ConsoleLogin'=="Failure", "failure", coalesce('errorCode',"success"))

View solution in original post

Engager

Perfect - issue resolved.

Thanks

0 Karma

Motivator

I should add-- you'll want to add this to a local/props.conf so the change isn't overwritten when you upgrade the TA.

0 Karma