Skip to content

Commit

Permalink
[Rule Tuning] AWS STS GetCallerIdentity API Called for the First Time (
Browse files Browse the repository at this point in the history
…#4094)

Tuning this rule to exclude identity type `AssumedRole` as this is too common a behavior, often automated, and used to verify current identity and role assumptions. Therefore it is not as indicative of suspicious behavior when used by assumed roles. This rule will still trigger for `IAM User` and `Federated User` identity types. In telemetry this change reduces alerts from ~240,000 to 43 in the last 30 days.

(cherry picked from commit 0ed6b3f)
  • Loading branch information
imays11 authored and github-actions[bot] committed Sep 24, 2024
1 parent cda0855 commit 75da23d
Showing 1 changed file with 3 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2024/05/24"
integration = ["aws"]
maturity = "production"
updated_date = "2024/05/24"
updated_date = "2024/09/30"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -93,7 +93,8 @@ timestamp_override = "event.ingested"
type = "new_terms"

query = '''
event.dataset:"aws.cloudtrail" and event.provider:"sts.amazonaws.com" and event.action:"GetCallerIdentity"
event.dataset: "aws.cloudtrail" and event.provider: "sts.amazonaws.com" and event.action: "GetCallerIdentity"
and not aws.cloudtrail.user_identity.type: "AssumedRole"
'''


Expand Down

0 comments on commit 75da23d

Please sign in to comment.