First Occurrence of STS GetFederationToken Request by User

edit

First Occurrence of STS GetFederationToken Request by User

edit

Identifies the first occurrence of an AWS Security Token Service (STS) GetFederationToken request made by a user within the last 10 days. The GetFederationToken API call allows users to request temporary security credentials to access AWS resources. Adversaries may use this API to obtain temporary credentials to access resources they would not normally have access to.

Rule type: new_terms

Rule indices:

  • filebeat-*
  • logs-aws.cloudtrail-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Cloud
  • Data Source: Amazon Web Services
  • Data Source: AWS
  • Data Source: AWS STS
  • Use Case: Threat Detection
  • Tactic: Defense Evasion

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
event.dataset: "aws.cloudtrail"
    and event.provider: sts.amazonaws.com
    and event.action: GetFederationToken

Framework: MITRE ATT&CKTM