Managed Sentinel – Alert 107
| Alert ID | MS-A107 |
| Alert Name | Login to AWS Management Console without MFA |
| Description | Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA. You can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts. This is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used and the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful. |
| Severity Level | Low |
| Threat Indicator | Improper Access |
| MITRE ATT&CK Tactics | Initial Access Persistence Priviledge Escalation Defense Evasion |
| False Positives | Service Accounts |
| Log sources | AWS Cloud Trail |
| Recommendations | 1. Review the AWS policy change and understand the reason why target user is not configured to use MFA. 2. Enable MFA for in scope users 3. Perform an investigation in Azure Sentinel for the same user account, hostname and/or IP address entity to see if any lateral movements were completed. |