Skip to main content
All CollectionsTemplatesIntermediate
Handle Suspicious AWS Console Logins (AWS SNS) - Workflow Template
Handle Suspicious AWS Console Logins (AWS SNS) - Workflow Template

Check source IP of the login session, verify with user if suspicious or malicious. If acknowledged - log a ticket. Otherwise - remediate.

Updated over 6 months ago

This workflow template addresses the critical need for organizations to maintain cybersecurity by automating the response to potential intrusion events. Specifically, it focuses on handling suspicious AWS Console logins. Upon login, the source IP is checked against VirusTotal for any associated risks. If the login is by the root user, a ServiceNow incident is logged immediately. Otherwise, the user is contacted via Slack to confirm the activity. Unacknowledged logins trigger the deactivation of the user's login profile and access keys, followed by logging a detailed ServiceNow incident for further investigation. This automated process is essential for rapid incident response and minimizing potential security breaches.

Take Me to the Template

Trigger

Amazon SNS

Use Cases

null

Workflow Breakdown

  1. Check Source IP of the Login in VirusTotal

  2. Verify if the login was a root or user login, if root login log a ServiceNow incident

  3. Find the user in Slack and ask to acknowledge login

  4. If acknowledged, open and automatically resolve a ServiceNow Incident

  5. If not acknowledged - disable the users login profile and access keys

  6. Open a ServiceNow incident with the details of the event

Vendors

AWS, Slack, VirusTotal, ServiceNow

Related Articles
Alert on Google Login Activity Outside of Allowed Regions - Workflow Template
Ask Users to Confirm Failed JumpCloud Login Attempts - Workflow Template
Okta event on MFA addition with user Verification (Okta) - Workflow Template
Detect impossible travels in Okta logins. - Workflow Template
Handle Gem Alert for Root Usage - Workflow Template
Did this answer your question?