Managed Sentinel – Alert 107

Alert IDMS-A107
Alert NameLogin to AWS Management Console without MFA
DescriptionMulti-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.
You can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.
This is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used
and the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.
Severity LevelLow
Threat IndicatorImproper Access
MITRE ATT&CK TacticsInitial Access
Persistence
Priviledge Escalation
Defense Evasion
False PositivesService Accounts
Log sourcesAWS Cloud Trail
Recommendations1. Review the AWS policy change and understand the reason why target user is not configured to use MFA.
2. Enable MFA for in scope users
3. Perform an investigation in Azure Sentinel for the same user account, hostname and/or IP address entity to see if any lateral movements were completed.