Improve FilterPattern for ConsoleSignInWithoutMfaCount and improve Th…

…reshold of AuthorizationFailuresAlarm
DNXLabs · Aug 22, 2024 · e5727ea · e5727ea
1 parent 34da9be
commit e5727ea
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/cloudtrail-alarms-full.cf.json b/cloudtrail-alarms-full.cf.json
@@ -285,7 +285,7 @@
                 "EvaluationPeriods" : "1",
                 "Period" : "300",
                 "Statistic" : "Sum",
-                "Threshold" : "1"
+                "Threshold" : "5"
 
             }
         },
@@ -483,7 +483,7 @@
           "Type": "AWS::Logs::MetricFilter",
           "Properties": {
               "LogGroupName": { "Ref" : "CloudTrailLogGroupName" },
-              "FilterPattern": "{ $.eventName = ConsoleLogin && $.additionalEventData.MFAUsed = No }",
+              "FilterPattern": "{ $.eventName = ConsoleLogin && $.additionalEventData.MFAUsed = No && $.userIdentity.type = IAMUser && $.responseElements.ConsoleLogin = Success }",
               "MetricTransformations": [
                   {
                       "MetricNamespace": "CloudTrailMetrics",