elastic
diff --git a/‎detection_rules/etc/non-ecs-schema.json‎
Lines changed: 13 additions & 1 deletion b/‎detection_rules/etc/non-ecs-schema.json‎
Lines changed: 13 additions & 1 deletion
diff --git a/‎rules/integrations/aws/defense_evasion_sts_get_federation_token.toml‎
Lines changed: 55 additions & 22 deletions b/‎rules/integrations/aws/defense_evasion_sts_get_federation_token.toml‎
Lines changed: 55 additions & 22 deletions
diff --git a/‎rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml‎
Lines changed: 39 additions & 25 deletions b/‎rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml‎
Lines changed: 39 additions & 25 deletions
@@ -43,7 +43,7 @@
         "TargetLogonId": "keyword",
         "TargetProcessGUID": "keyword",
         "TargetSid": "keyword",
-      	"SchemaFriendlyName": "keyword",
+        "SchemaFriendlyName": "keyword",
         "Resource": "keyword",
         "RpcCallClientLocality": "keyword",
         "PrivilegeList": "keyword",
@@ -207,5 +207,17 @@
   "logs-okta*": {
     "okta.debug_context.debug_data.flattened.requestedScopes": "keyword",
     "okta.debug_context.debug_data.flattened.grantType": "keyword"
+  },
+  "logs-network_traffic.http*": {
+    "data_stream.dataset": "keyword",
+    "url.path": "keyword",
+    "http.request.referrer": "keyword",
+    "http.request.headers.content-type": "keyword",
+    "network.direction": "keyword",
+    "http.request.method": "keyword",
+    "request": "keyword",
+    "http.request.body.bytes": "long",
+    "http.request.body.content": "keyword",
+    "http.response.headers.server": "keyword"
   }
 }
@@ -2,60 +2,62 @@
 creation_date = "2024/08/19"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/08/25"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies the first occurrence of an AWS Security Token Service (STS) `GetFederationToken` request made by a user
-within the last 10 days. The `GetFederationToken` API call allows users to request temporary security credentials to
-access AWS resources. Adversaries may use this API to obtain temporary credentials to access resources they would not
-normally have access to.
+Identifies the first occurrence of an AWS Security Token Service (STS) GetFederationToken request made by a user. The GetFederationToken API call allows users to request temporary security credentials to
+access AWS resources. The maximum expiration period for these tokens is 36 hours and they can be used to create a console signin token even for identities that don't already have one. Adversaries may use this API to obtain temporary credentials for persistence and to bypass IAM API call limitations by gaining console access.
 """
-from = "now-9m"
+from = "now-6m"
 index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "First Occurrence of STS GetFederationToken Request by User"
+name = "AWS First Occurrence of STS GetFederationToken Request by User"
 references = [
-    "https://hackingthe.cloud/aws/post_exploitation/survive_access_key_deletion_with_sts_getfederationtoken/"
+    "https://hackingthe.cloud/aws/post_exploitation/survive_access_key_deletion_with_sts_getfederationtoken/",
+    "https://www.crowdstrike.com/en-us/blog/how-adversaries-persist-with-aws-user-federation/",
+    "https://medium.com/@adan.alvarez/how-attackers-persist-in-aws-using-getfederationtoken-a-simple-and-effective-technique-used-in-the-987ec1f0bdfe/"
 ]
-risk_score = 21
+risk_score = 47
 rule_id = "7a5cc9a8-5ea3-11ef-beec-f661ea17fbce"
-severity = "low"
+severity = "medium"
 tags = [
     "Domain: Cloud",
     "Data Source: Amazon Web Services",
     "Data Source: AWS",
     "Data Source: AWS STS",
     "Use Case: Threat Detection",
     "Tactic: Defense Evasion",
+    "Tactic: Persistence",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
 type = "new_terms"
 
 query = '''
 event.dataset: "aws.cloudtrail"
-    and event.provider: sts.amazonaws.com
-    and event.action: GetFederationToken
+    and event.provider:sts.amazonaws.com
+    and event.action:GetFederationToken
+    and event.outcome:success
 '''
 note = """## Triage and analysis
 
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating First Occurrence of STS GetFederationToken Request by User
+### Investigating AWS First Occurrence of STS GetFederationToken Request by User
 
-AWS Security Token Service (STS) enables users to request temporary credentials for accessing AWS resources. While beneficial for legitimate use, adversaries may exploit this to gain unauthorized access. The detection rule identifies unusual activity by flagging the first instance of a `GetFederationToken` request by a user within a 10-day window, helping to uncover potential misuse aimed at evading defenses.
+AWS Security Token Service (STS) enables users to request temporary credentials for accessing AWS resources. While beneficial for legitimate use, adversaries may exploit this to gain unauthorized access. These credentials will remain active for the duration specified (maximum 36 hours), even if the initial compromised identity is deleted. They can also be used to request a console signin token which allows the adversary to make sensitive IAM API calls which would otherwise be denied with the federation token alone. The detection rule identifies unusual activity by flagging the first instance of a `GetFederationToken` request by a user helping to uncover potential misuse aimed at evading defenses and gaining persistence.
 
 ### Possible investigation steps
 
-- Review the specific user account associated with the GetFederationToken request to determine if the activity aligns with their typical behavior and role within the organization.
-- Examine the AWS CloudTrail logs for additional context around the time of the GetFederationToken request, looking for any other unusual or suspicious activities by the same user or related accounts.
-- Check the source IP address and geolocation of the GetFederationToken request to identify if it originates from an expected or unexpected location.
-- Investigate the resources accessed using the temporary credentials obtained from the GetFederationToken request to assess if there was any unauthorized or suspicious access.
-- Consult with the user or their manager to verify if the GetFederationToken request was legitimate and necessary for their work tasks.
+- Review the specific user account associated with the `GetFederationToken` request to determine if the activity aligns with their typical behavior and role within the organization.
+- Examine the AWS CloudTrail logs for additional context around the time of the `GetFederationToken` request, looking for any other unusual or suspicious activities by the same user or related accounts.
+- Check the `source.ip` and `source.geo` fields of the request to identify if it originates from an expected or unexpected location.
+- View the `aws.cloudtrail.response_elements` to find the created `federatedUser.arn`. Investigate the resources accessed by this Federated User to assess if there was any suspicious activity.
+- Consult with the requesting user `aws.cloudtrail.user_identity.arn` to verify if the `GetFederationToken` request was legitimate and necessary for their work tasks.
 
 ### False positive analysis
 
@@ -66,14 +68,29 @@ AWS Security Token Service (STS) enables users to request temporary credentials
 
 ### Response and remediation
 
-- Immediately revoke the temporary credentials associated with the `GetFederationToken` request to prevent unauthorized access to AWS resources.
-- Review CloudTrail logs to identify any suspicious activities performed using the temporary credentials and assess the potential impact on AWS resources.
-- Isolate the affected user account by disabling it temporarily to prevent further unauthorized actions until a thorough investigation is completed.
+- If compromise is verified, attach a policy that denies all actions, effectively preventing any further activity, even from temporary credentials. You can use the AWS-managed policy [AWSDenyAll](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDenyAll.html). This ensures that any temporary credentials generated by the compromised user are also blocked, stopping the attacker’s activities.
 - Notify the security team and relevant stakeholders about the incident for awareness and further investigation.
 - Conduct a root cause analysis to determine how the `GetFederationToken` request was initiated and identify any potential security gaps or misconfigurations.
 - Implement additional monitoring and alerting for `GetFederationToken` requests to detect and respond to similar activities promptly in the future.
 - Review and update IAM policies and permissions to ensure that only authorized users have the ability to request temporary credentials, reducing the risk of misuse."""
 
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user_agent.original",
+    "source.ip",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "event.action",
+    "event.outcome",
+    "cloud.account.id",
+    "cloud.region",
+    "aws.cloudtrail.request_parameters",
+    "aws.cloudtrail.response_elements"
+]
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
@@ -90,6 +107,22 @@ reference = "https://attack.mitre.org/techniques/T1550/001/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1098"
+name = "Account Manipulation"
+reference = "https://attack.mitre.org/techniques/T1098/"
+[[rule.threat.technique.subtechnique]]
+id = "T1098.001"
+name = "Additional Cloud Credentials"
+reference = "https://attack.mitre.org/techniques/T1098/001/"
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
 
 [rule.new_terms]
 field = "new_terms_fields"
 
@@ -1,21 +1,17 @@
 [metadata]
-creation_date = "2020/07/25"
+creation_date = "2024/07/25"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/08/27"
 
 [rule]
 author = ["Elastic"]
 description = """
-This rule detects the first time a principal calls AWS Cloudwatch `CreateStack` or `CreateStackSet` API. Cloudformation
-is used to create a single collection of cloud resources called a stack, via a defined template file. An attacker with
-the appropriate privileges could leverage Cloudformation to create specific resources needed to further exploit the
-environment. This is a new terms rule that looks for the first instance of this behavior in the last 10 days for a role
-or IAM user within a particular account.
+This rule detects the first time a principal calls AWS CloudFormation CreateStack, CreateStackSet or CreateStackInstances API. CloudFormation is used to create a collection of cloud resources called a stack, via a defined template file. An attacker with the appropriate privileges could leverage CloudFormation to create specific resources needed to further exploit the environment. This is a new terms rule that looks for the first instance of this behavior for a role or IAM user within a particular account.
 """
 false_positives = [
     """
-    Verify whether the user identity should be using the `CreateStack` or `CreateStackSet` APIs. If known behavior is
+    Verify whether the user identity should be using the triggered API. If known behavior is
     causing false positives, it can be exempted from the rule. The "history_window_start" value can be modified to
     reflect the expected frequency of known activity within a particular environment.
     """,
@@ -24,12 +20,10 @@ from = "now-6m"
 index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "First Time AWS Cloudformation Stack Creation by User"
+name = "First Time AWS CloudFormation Stack Creation"
 references = [
-    "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-cli-creating-stack.html/",
-    "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html/",
-    "https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStack.html/",
-    "https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStackSet.html/",
+    "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html",
+    "https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStack.html",
 ]
 risk_score = 47
 rule_id = "0415258b-a7b2-48a6-891a-3367cd9d4d31"
@@ -38,7 +32,7 @@ tags = [
     "Domain: Cloud",
     "Data Source: AWS",
     "Data Source: Amazon Web Services",
-    "Data Source: Cloudformation",
+    "Data Source: CloudFormation",
     "Use Case: Asset Visibility",
     "Tactic: Execution",
     "Resources: Investigation Guide",
@@ -48,23 +42,24 @@ type = "new_terms"
 
 query = '''
 event.dataset:aws.cloudtrail and event.provider:cloudformation.amazonaws.com and
-    event.action: (CreateStack or CreateStackSet) and event.outcome:success
+    event.action: (CreateStack or CreateStackInstances) 
+    and event.outcome:success
 '''
 note = """## Triage and analysis
 
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating First Time AWS Cloudformation Stack Creation by User
+### Investigating First Time AWS CloudFormation Stack Creation
 
-AWS CloudFormation automates the setup of cloud resources using templates, streamlining infrastructure management. Adversaries with access can exploit this to deploy malicious resources, escalating their control. The detection rule identifies unusual activity by flagging the initial use of stack creation APIs by a user, helping to spot potential unauthorized actions early.
+AWS CloudFormation automates the setup of cloud resources using templates, streamlining infrastructure management. Adversaries with access can exploit this to deploy malicious resources, escalating their control. The detection rule identifies unusual activity by flagging the initial use of stack creation APIs by a user or role, helping to spot potential unauthorized actions early.
 
 ### Possible investigation steps
 
-- Review the CloudTrail logs for the specific event.dataset:aws.cloudtrail and event.provider:cloudformation.amazonaws.com to identify the user or role that initiated the CreateStack or CreateStackSet action.
+- Review `aws.cloudtrail.user_identity.arn` to identify the user or role that initiated the `CreateStack` or `CreateStackInstances` action.
 - Verify the IAM permissions of the user or role involved in the event to ensure they have the appropriate level of access and determine if the action aligns with their typical responsibilities.
-- Examine the stack template used in the CreateStack or CreateStackSet action to identify any unusual or unauthorized resources being provisioned.
-- Check the event.outcome:success field to confirm the stack creation was successful and investigate any related resources that were deployed as part of the stack.
+- Examine the stack template used to identify any unusual or unauthorized resources being provisioned.
+- Investigate any related resources that were deployed as part of the stack.
 - Correlate the timing of the stack creation with other logs or alerts to identify any suspicious activity or patterns that might indicate malicious intent.
 - Investigate the account's recent activity history to determine if there have been any other first-time or unusual actions by the same user or role.
 
@@ -78,18 +73,37 @@ AWS CloudFormation automates the setup of cloud resources using templates, strea
 
 ### Response and remediation
 
-- Immediately isolate the IAM user or role that initiated the stack creation to prevent further unauthorized actions. This can be done by revoking permissions or disabling the account temporarily.
-- Review the created stack and stack set for any unauthorized or suspicious resources. Identify and terminate any resources that are not part of the expected infrastructure.
+- Immediately isolate the IAM user or role that initiated the stack creation to prevent further unauthorized actions. This can be done by revoking permissions with a [DenyAll](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSDenyAll.html) permissions policy or disabling the account temporarily.
+- Review the created stack for any unauthorized or suspicious resources. Identify and terminate any resources that are not part of the expected infrastructure.
 - Conduct a thorough audit of recent IAM activity to identify any other unusual or unauthorized actions that may indicate further compromise.
 - If malicious activity is confirmed, escalate the incident to the security operations team for a full investigation and potential involvement of incident response teams.
 - Implement additional monitoring and alerting for the affected account to detect any further unauthorized attempts to use CloudFormation or other critical AWS services.
-- Review and tighten IAM policies and permissions to ensure that only necessary privileges are granted, reducing the risk of exploitation by adversaries.
-- Consider enabling AWS CloudTrail logging and AWS Config rules to maintain a detailed record of all API activity and configuration changes for ongoing monitoring and compliance."""
-
+- Review and tighten IAM policies and permissions to ensure that only necessary privileges are granted, reducing the risk of exploitation by adversaries."""
+
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user_agent.original",
+    "source.ip",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "event.action",
+    "event.outcome",
+    "cloud.account.id",
+    "cloud.region",
+    "aws.cloudtrail.request_parameters",
+    "aws.cloudtrail.response_elements"
+]
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 
+[[rule.threat.technique]]
+id = "T1648"
+name = "Serverless Execution"
+reference = "https://attack.mitre.org/techniques/T1648/"
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"