Skip to content

Commit

Permalink
[Rule Tuning] AWS STS GetCallerIdentity API Called for the First Time (
Browse files Browse the repository at this point in the history 
…#4094)

Tuning this rule to exclude identity type `AssumedRole` as this is too common a behavior, often automated, and used to verify current identity and role assumptions. Therefore it is not as indicative of suspicious behavior when used by assumed roles. This rule will still trigger for `IAM User` and `Federated User` identity types. In telemetry this change reduces alerts from ~240,000 to 43 in the last 30 days.

(cherry picked from commit 0ed6b3f)
  • Loading branch information
@imays11 @github-actions
imays11 authored and github-actions[bot] committed Sep 24, 2024
1 parent 914f1dc commit 83006dd
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2024/05/24"
integration = ["aws"]
maturity = "production"
updated_date = "2024/05/24"
updated_date = "2024/09/30"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -93,7 +93,8 @@ timestamp_override = "event.ingested"
type = "new_terms"

query = '''
event.dataset:"aws.cloudtrail" and event.provider:"sts.amazonaws.com" and event.action:"GetCallerIdentity"
event.dataset: "aws.cloudtrail" and event.provider: "sts.amazonaws.com" and event.action: "GetCallerIdentity"
and not aws.cloudtrail.user_identity.type: "AssumedRole"
'''


Expand Down

0 comments on commit 83006dd

Please sign in to comment.