First Occurrence of STS GetFederationToken Request by User
editFirst Occurrence of STS GetFederationToken Request by User
editIdentifies the first occurrence of an AWS Security Token Service (STS) GetFederationToken
request made by a user within the last 10 days. The GetFederationToken
API call allows users to request temporary security credentials to access AWS resources. Adversaries may use this API to obtain temporary credentials to access resources they would not normally have access to.
Rule type: new_terms
Rule indices:
- filebeat-*
- logs-aws.cloudtrail-*
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Data Source: Amazon Web Services
- Data Source: AWS
- Data Source: AWS STS
- Use Case: Threat Detection
- Tactic: Defense Evasion
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editevent.dataset: "aws.cloudtrail" and event.provider: sts.amazonaws.com and event.action: GetFederationToken
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Use Alternate Authentication Material
- ID: T1550
- Reference URL: https://attack.mitre.org/techniques/T1550/
-
Sub-technique:
- Name: Application Access Token
- ID: T1550.001
- Reference URL: https://attack.mitre.org/techniques/T1550/001/