Detect AWS Console Login by User from New City

name: Detect AWS Console Login by User from New City
id: 121b0b11-f8ac-4ed6-a132-3800ca4fc07a
version: 8
date: '2026-02-25'
author: Bhavin Patel, Eric McGinnis Splunk
status: production
type: Hunting
description: The following analytic identifies AWS console login events by users from a new city within the last hour. It leverages AWS CloudTrail events and compares them against a lookup file of previously seen user locations. This activity is significant for a SOC as it may indicate unauthorized access or credential compromise, especially if the login originates from an unusual location. If confirmed malicious, this could lead to unauthorized access to AWS resources, data exfiltration, or further exploitation within the cloud environment.
data_source:
    - AWS CloudTrail
search: |-
    | tstats earliest(_time) as firstTime latest(_time) as lastTime FROM datamodel=Authentication
      WHERE Authentication.signature=ConsoleLogin
      BY Authentication.user Authentication.src
    | iplocation Authentication.src
    | `drop_dm_object_name(Authentication)`
    | rename City as justSeenCity
    | table firstTime lastTime user justSeenCity
    | join user type=outer [
    | inputlookup previously_seen_users_console_logins
    | rename City as previouslySeenCity
    | stats min(firstTime) AS earliestseen
      BY user previouslySeenCity
    | fields earliestseen user previouslySeenCity]
    | eval userCity=if(firstTime >= relative_time(now(), "-24h@h"), "New City","Previously Seen City")
    | where userCity = "New City"
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | table firstTime lastTime user previouslySeenCity justSeenCity userCity
    | `detect_aws_console_login_by_user_from_new_city_filter`
how_to_implement: You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_city_filter` macro.
known_false_positives: When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.
references: []
tags:
    analytic_story:
        - Suspicious AWS Login Activities
        - Suspicious Cloud Authentication Activities
        - AWS Identity and Access Management Account Takeover
        - Compromised User Account
    asset_type: AWS Instance
    mitre_attack_id:
        - T1535
        - T1586.003
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: threat
    manual_test: This search needs the baseline to be run first to create a lookup. It also requires that the timestamps in the dataset be updated.
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json
          sourcetype: aws:cloudtrail
          source: aws_cloudtrail