The SIEM app is now a part of the Elastic Security solution. Click here to view SIEM documentation for previous releases.

« AWS IAM Brute Force of Assume Role Policy AWS IAM Group Creation »

› › ›

AWS IAM Deactivation of MFA Device

edit

AWS IAM Deactivation of MFA Device

edit

Identifies the deactivation of a specific multi-factor authentication (MFA) device and removes its association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted.

Rule type: query

Rule indices:

filebeat-*

Severity: medium

Risk score: 47

Runs every: 10 minutes

Searches indices from: now-60m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

AWS
Elastic
SecOps
Monitoring
Continuous Monitoring

Version: 1

Added (Elastic Stack release): 7.9.0

Rule authors: Elastic

Rule license: Elastic License

Potential false positives

edit

A MFA device may be deactivated by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. MFA device deactivations from unfamiliar users or hosts should be investigated. If a known behavior is causing false positives, it can be excluded from the rule.

Investigation guide

edit

The AWS Filebeat module must be enabled to use this rule.

Rule query

edit

event.action:DeactivateMFADevice and event.dataset:aws.cloudtrail and
event.provider:iam.amazonaws.com and event.outcome:success

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Impact
- ID: TA0040
- Reference URL: https://attack.mitre.org/tactics/TA0040/
Technique:
- Name: Account Access Removal
- ID: T1531
- Reference URL: https://attack.mitre.org/techniques/T1531/

« AWS IAM Brute Force of Assume Role Policy AWS IAM Group Creation »