0

I'm trying to get the alert which the user fails to log in to the AWS console. I wrote the event bridge rule based on the cloud trail log. Raw Log

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "XXXXXXXXXXXXX",
        "accountId": "XXXXXXXXXXX",
        "accessKeyId": "",
        "userName": "XXXXXXXX"
    },
    "eventTime": "XXXXXXXXXXXXXXX",
    "eventSource": "signin.amazonaws.com",
    "eventName": "ConsoleLogin",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "XXXXXXXXX",
    "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36",
    "errorMessage": "Failed authentication",
    "requestParameters": null,
    "responseElements": {
        "ConsoleLogin": "Failure"
    },

Here I want to take the Input as the ConsoleLogin": "Failure" How to create a rule in Eventbridge.

EventBridge Rule.

{
  "detail-type": [
    "AWS Console Sign In via CloudTrail"
  ],
  "detail": {
    "eventSource": [
      "signin.amazonaws.com"
    ],
    "eventName": [
      "ConsoleLogin"
    ],
    "type": [
      "Root",
      "AssumedRole",
      "IAMUser"
    ],
    "responseElements": {
      "ConsoleLogin": [
        "Failure"
      ]
    }
  }
}

Is this the Right rule.

T Paul Manohar
  • 15
  • 6
  • Have you tried yourself? What was the response? – shimo Jul 28 '21 at 19:53
  • I tried but EventBridge didn't respond when an event triggers from CloudTrail. – T Paul Manohar Jul 29 '21 at 06:15
  • I've tried and the rule above and it worked fine. Failed login was detected with EventBridge and notified with SNS. I had similar problem once and just re-creation all things worked (at that time. Used [this cfn.](https://aws.amazon.com/premiumsupport/knowledge-center/root-user-account-cloudwatch-rule/?nc1=h_ls) ) . – shimo Jul 29 '21 at 07:53
  • Still, the same Problem Even changes the EventBridge rule. This is the Event Rule. { "detail-type": [ "AWS API Call via CloudTrail" ], "detail": { "userIdentity": { "type": [ "Root", "AssumedRole", "IAMUser" ] }, "responseElements": { "ConsoleLogin": [ "Failure" ] } } } – T Paul Manohar Jul 29 '21 at 14:16
  • If I edit with this one then only it working. { "detail-type": [ "AWS API Call via CloudTrail" ] } – T Paul Manohar Jul 29 '21 at 14:23

0 Answers0