detection.wiki

Detection rules › Panther

AWS Authentication From CrowdStrike Unmanaged Device

Severity
medium
Tags
Multi-Table Query
Reference
https://www.crowdstrike.com/wp-content/uploads/2023/05/crowdstrike-falcon-device-control-data-sheet.pdf
Source
github.com/panther-labs/panther-analysis

Detects AWS Logins from IP addresses not found in CrowdStrike's AIP list. May indicate unmanaged device being used, or faulty CrowdStrike Sensor.

Rule body yaml

AnalysisType: scheduled_rule
Description: Detects AWS Logins from IP addresses not found in CrowdStrike's AIP list. May indicate unmanaged device being used, or faulty CrowdStrike Sensor.
DisplayName: "AWS Authentication From CrowdStrike Unmanaged Device"
Enabled: false
Filename: aws_authentication_from_crowdstrike_unmanaged_device.py
Reference: https://www.crowdstrike.com/wp-content/uploads/2023/05/crowdstrike-falcon-device-control-data-sheet.pdf
Severity: Medium
Tests:
  - ExpectedResult: true
    Log:
      additionalEventData:
        LoginTo: https://console.aws.amazon.com/console/home
        MFAIdentifier: arn:aws:iam::12345:mfa/homer_simpson
        MFAUsed: "Yes"
        MobileVersion: "No"
      awsRegion: us-east-2
      eventCategory: Management
      eventID: "12345"
      eventName: ConsoleLogin
      eventSource: signin.amazonaws.com
      eventTime: "2023-01-10 20:10:41"
      eventType: AwsConsoleSignIn
      eventVersion: "1.08"
      managementEvent: true
      readOnly: false
      recipientAccountId: "12345"
      responseElements:
        ConsoleLogin: Success
      sourceIPAddress: 1.2.3.4
      tlsDetails:
        cipherSuite: ECDHE-RSA-AES128-GCM-SHA256
        clientProvidedHostHeader: us-east-2.signin.aws.amazon.com
        tlsVersion: TLSv1.2
      userAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
      userIdentity:
        accountId: "12345"
        arn: arn:aws:iam::12345:user/homer_simpson
        principalId: ABCDEF
        type: IAMUser
        userName: homer_simpson
    Name: Test-d8301d
DedupPeriodMinutes: 60
RuleID: "AWS.Authentication.From.CrowdStrike.Unmanaged.Device"
Threshold: 1
ScheduledQueries:
  - AWS Authentication from CrowdStrike Unmanaged Device
Tags:
  - Multi-Table Query

Detection logic

Filter

from panther_aws_helpers import aws_rule_context


def rule(_):
    return True


def title(event):
    return (
        f"AWS [{event.get('eventName')}] for "
        f"[{event.deep_get('userIdentity', 'arn', default = '<arn_not_found>')}]"
        " from unmanaged IP Address."
    )


def alert_context(event):
    return aws_rule_context(event)

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

FieldSource
eventName
eventSource
awsRegion
recipientAccountId
sourceIPAddress
userAgent
userIdentity
arnuserIdentity.arn