UBA : AWS Console Accessed by Unauthorized User
The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.
UBA : AWS Console Accessed by Unauthorized User
Enabled by default
False
Default senseValue
10
Description
Detects an unauthorized attempt to access the Amazon Web Services (AWS) console by a user that is outside the authorized list in the 'AWS - Standard Users' reference set.
Support rules
BB:UBA : Common Event Filters
Required configuration
- Install the following package from the IBM Security App Exchange: IBM QRadar Content Extension for Monitoring Amazon AWS.
- Add the appropriate values to the following reference set: "AWS - Standard Users"
- Configure the following log source: Amazon AWS CloudTrail
Log source types
Amazon AWS CloudTrail (EventID: ConsoleLogin)