[Rule Tuning] AWS IAM API Calls via Temporary Session Tokens (#4901)

imays11 · tradebot-elastic · commit 17186fc30e4c · 2025-07-15T23:15:48.000Z
- rule triggers as expected, however its triggering for failed requests - added `event.outcome: success` to query - added highlighted fields - adjusted rule execution window (cherry picked from commit 494a9e0)
diff --git a/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml b/rules/integrations/aws/persistence_iam_api_calls_via_user_session_token.toml
@@ -2,20 +2,19 @@
 creation_date = "2025/04/16"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/04/16"
+updated_date = "2025/07/10"
 
 [rule]
 author = ["Elastic"]
 description = """
-Detects use of sensitive AWS STS or IAM API operations using temporary credentials (session tokens starting with 'ASIA').
-This may indicate credential theft or abuse of elevated access via a stolen session. It is not common for legitimate users to perform sensitive IAM operations with temporary session tokens.
+Detects use of sensitive AWS IAM API operations using temporary credentials (session tokens starting with 'ASIA'). This may indicate credential theft or abuse of elevated access via a stolen session. It is not common for legitimate users to perform sensitive IAM operations with temporary session tokens.
 """
 false_positives = [
     """
     Some CI/CD pipelines or administrative users may use session tokens. Review user context, IP, and timing to validate.
     """,
 ]
-from = "now-9m"
+from = "now-6m"
 index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 language = "kuery"
 license = "Elastic License v2"
@@ -29,15 +28,15 @@ This rule detects sensitive IAM API operations performed using temporary AWS cre
 
 #### Possible investigation steps:
 
-- Review aws.cloudtrail.user_identity.arn to determine which IAM user or assumed role initiated the request.
-- Check aws.cloudtrail.user_identity.access_key_id to confirm if the credential starts with 'ASIA', indicating a temporary session token.
-- Examine aws.cloudtrail.user_identity.session_context.mfa_authenticated to verify whether MFA was present during session creation.
-- Investigate source.ip to assess whether the request originated from a known network, office IP, or corporate VPN.
-- Look at user_agent.original to determine if the API call came from a known CLI version or unexpected tool (e.g., unknown SDK, custom script).
+- Review `aws.cloudtrail.user_identity.arn` to determine which IAM user or assumed role initiated the request.
+- Check `aws.cloudtrail.user_identity.access_key_id` to confirm if the credential starts with 'ASIA', indicating a temporary session token.
+- Examine `aws.cloudtrail.user_identity.session_context.mfa_authenticated` to verify whether MFA was present during session creation.
+- Investigate `source.ip` to assess whether the request originated from a known network, office IP, or corporate VPN.
+- Look at `user_agent.original` to determine if the API call came from a known CLI version or unexpected tool (e.g., unknown SDK, custom script).
 - Confirm whether a recent sts:GetSessionToken, sts:AssumeRole, or AWS SSO login event issued the temporary credential.
 - Correlate other events using the same access key ID to identify additional privileged actions, such as iam:CreateAccessKey, iam:PutUserPolicy, or iam:EnableMFADevice.
 - Analyze timing via @timestamp to determine if the action occurred during off-hours or deviates from normal user behavior.
-- Review the event.outcome to check if the API call was successful or failed, which may indicate unauthorized access attempts.
+- Review the `event.outcome` to check if the API call was successful or failed, which may indicate unauthorized access attempts.
 - Check for related events in the same session, such as iam:CreateUser, iam:AttachUserPolicy, or sts:GetCallerIdentity, to identify potential lateral movement or privilege escalation.
 
 ### False positive analysis:
@@ -77,10 +76,27 @@ type = "new_terms"
 query = '''
 event.dataset: aws.cloudtrail
     and event.provider: ("iam.amazonaws.com")
+    and event.outcome: "success"
     and aws.cloudtrail.user_identity.type: "IAMUser"
     and aws.cloudtrail.user_identity.access_key_id: ASIA*
 '''
 
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user_agent.original",
+    "source.ip",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "event.action",
+    "event.outcome",
+    "cloud.account.id",
+    "cloud.region",
+    "aws.cloudtrail.request_parameters"
+]
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 
