EXPLORE
Sign In
← Back to Explore
splunk_escuHunting

Detect AWS Console Login by New User

The following analytic detects AWS console login events by new users. It leverages AWS CloudTrail events and compares them against a lookup file of previously seen users based on ARN values. This detection is significant because a new user logging into the AWS console could indicate the creation of new accounts or potential unauthorized access. If confirmed malicious, this activity could lead to unauthorized access to AWS resources, data exfiltration, or further exploitation within the cloud environment.

MITRE ATT&CK

T1552T1586.003

Detection Query

| tstats earliest(_time) as firstTime latest(_time) as lastTime FROM datamodel=Authentication
  WHERE Authentication.signature=ConsoleLogin
  BY Authentication.user
| `drop_dm_object_name(Authentication)`
| join user type=outer [
| inputlookup previously_seen_users_console_logins
| stats min(firstTime) as earliestseen
  BY user]
| eval userStatus=if(earliestseen >= relative_time(now(), "-24h@h") OR isnull(earliestseen), "First Time Logging into AWS Console", "Previously Seen User")
| where userStatus="First Time Logging into AWS Console"
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_aws_console_login_by_new_user_filter`

Author

Rico Valdez, Splunk

Created

2026-02-25

Data Sources

AWS CloudTrail

Tags

Suspicious Cloud Authentication ActivitiesAWS Identity and Access Management Account Takeover
Raw Content
name: Detect AWS Console Login by New User
id: bc91a8cd-35e7-4bb2-6140-e756cc46fd71
version: 10
date: '2026-02-25'
author: Rico Valdez, Splunk
status: production
type: Hunting
description: The following analytic detects AWS console login events by new users. It leverages AWS CloudTrail events and compares them against a lookup file of previously seen users based on ARN values. This detection is significant because a new user logging into the AWS console could indicate the creation of new accounts or potential unauthorized access. If confirmed malicious, this activity could lead to unauthorized access to AWS resources, data exfiltration, or further exploitation within the cloud environment.
data_source:
    - AWS CloudTrail
search: |-
    | tstats earliest(_time) as firstTime latest(_time) as lastTime FROM datamodel=Authentication
      WHERE Authentication.signature=ConsoleLogin
      BY Authentication.user
    | `drop_dm_object_name(Authentication)`
    | join user type=outer [
    | inputlookup previously_seen_users_console_logins
    | stats min(firstTime) as earliestseen
      BY user]
    | eval userStatus=if(earliestseen >= relative_time(now(), "-24h@h") OR isnull(earliestseen), "First Time Logging into AWS Console", "Previously Seen User")
    | where userStatus="First Time Logging into AWS Console"
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `detect_aws_console_login_by_new_user_filter`
how_to_implement: You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines.
known_false_positives: When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.
references: []
tags:
    analytic_story:
        - Suspicious Cloud Authentication Activities
        - AWS Identity and Access Management Account Takeover
    asset_type: AWS Instance
    mitre_attack_id:
        - T1552
        - T1586.003
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: threat
    manual_test: This search needs the baseline `Previously Seen Users in CloudTrail - Initial` to be run first.
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/abnormally_high_cloud_instances_launched/cloudtrail_behavioural_detections.json
          sourcetype: aws:cloudtrail
          source: aws_cloudtrail