Detect AWS Console Login by New User

Status: production
Group by: user
Author: Rico Valdez, Splunk
Source: github.com/splunk/security_content

The following analytic detects AWS console login events by new users. It leverages AWS CloudTrail events and compares them against a lookup file of previously seen users based on ARN values. This detection is significant because a new user logging into the AWS console could indicate the creation of new accounts or potential unauthorized access. If confirmed malicious, this activity could lead to unauthorized access to AWS resources, data exfiltration, or further exploitation within the cloud environment.

MITRE ATT&CK coverage

Tactic	Techniques
Resource Development	`T1586.003` Compromise Accounts: Cloud Accounts
Credential Access	`T1552` Unsecured Credentials

Rule body splunk

name: Detect AWS Console Login by New User
id: bc91a8cd-35e7-4bb2-6140-e756cc46fd71
version: 11
creation_date: '2020-10-26'
modification_date: '2026-05-13'
author: Rico Valdez, Splunk
status: production
type: Hunting
description: The following analytic detects AWS console login events by new users. It leverages AWS CloudTrail events and compares them against a lookup file of previously seen users based on ARN values. This detection is significant because a new user logging into the AWS console could indicate the creation of new accounts or potential unauthorized access. If confirmed malicious, this activity could lead to unauthorized access to AWS resources, data exfiltration, or further exploitation within the cloud environment.
data_source:
    - AWS CloudTrail
search: |-
    | tstats earliest(_time) as firstTime latest(_time) as lastTime FROM datamodel=Authentication
      WHERE Authentication.signature=ConsoleLogin
      BY Authentication.user
    | `drop_dm_object_name(Authentication)`
    | join user type=outer [
    | inputlookup previously_seen_users_console_logins
    | stats min(firstTime) as earliestseen
      BY user]
    | eval userStatus=if(earliestseen >= relative_time(now(), "-24h@h") OR isnull(earliestseen), "First Time Logging into AWS Console", "Previously Seen User")
    | where userStatus="First Time Logging into AWS Console"
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `detect_aws_console_login_by_new_user_filter`
how_to_implement: You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines.
known_false_positives: When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.
references: []
analytic_story:
    - Suspicious Cloud Authentication Activities
    - AWS Identity and Access Management Account Takeover
asset_type: AWS Instance
mitre_attack_id:
    - T1552
    - T1586.003
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: cloud
security_domain: threat
baselines:
    - Previously Seen Users in CloudTrail - Initial
    - Previously Seen Users In CloudTrail - Update
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json
          sourcetype: aws:cloudtrail
          source: aws_cloudtrail
      description: PORTED MANUAL TEST - This search needs the baseline `Previously Seen Users in CloudTrail - Initial` to be run first.
      test_type: experimental

Stages and Predicates

Stage 1: `tstats`

| tstats earliest(_time) as firstTime latest(_time) as lastTime FROM datamodel=Authentication
  WHERE Authentication.signature=ConsoleLogin
  BY Authentication.user

Stage 2: `search`

| `drop_dm_object_name(Authentication)`

Stage 3: `join`

| join user type=outer [
| inputlookup previously_seen_users_console_logins
| stats min(firstTime) as earliestseen
  BY user]

Stage 4: `eval`

| eval userStatus=if(earliestseen >= relative_time(now(), "-24h@h") OR isnull(earliestseen), "First Time Logging into AWS Console", "Previously Seen User")

userStatus =

1."First Time Logging into AWS Console"

-"Previously Seen User"(default)

Stage 5: `where`

| where userStatus="First Time Logging into AWS Console"

Stage 6: `search`

| `security_content_ctime(firstTime)`

Stage 7: `search`

| `security_content_ctime(lastTime)`

Stage 8: `search`

| `detect_aws_console_login_by_new_user_filter`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Authentication.signature`	eq	`ConsoleLogin`
`userStatus`	eq	`"First Time Logging into AWS Console"`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Detect AWS Console Login by New User

MITRE ATT&CK coverage

Rule body splunk

Stages and Predicates

Stage 1: `tstats`

Stage 2: `search`

Stage 3: `join`

Stage 4: `eval`

Stage 5: `where`

Stage 6: `search`

Stage 7: `search`

Stage 8: `search`

Indicators

Keyboard shortcuts

Search operators

Detect AWS Console Login by New User

MITRE ATT&CK coverage

Rule body splunk

Stages and Predicates

Stage 1: tstats

Stage 2: search

Stage 3: join

Stage 4: eval

Stage 5: where

Stage 6: search

Stage 7: search

Stage 8: search

Indicators

Stage 1: `tstats`

Stage 2: `search`

Stage 3: `join`

Stage 4: `eval`

Stage 5: `where`

Stage 6: `search`

Stage 7: `search`

Stage 8: `search`