Merge branch 'main' into terrancedejesus/issue5216

Author: terrancedejesus

detection_rules/etc/non-ecs-schema.json

@@ -222,7 +222,11 @@
   "logs-azure.platformlogs-*": {
     "azure.platformlogs.identity.claim.upn": "keyword",
     "azure.platformlogs.properties.id": "keyword",
-    "azure.platformlogs.identity.claim.appid": "keyword"
+    "azure.platformlogs.identity.claim.appid": "keyword",
+    "azure.platformlogs.identity.type": "keyword",
+    "azure.platformlogs.properties.userAgentHeader": "keyword",
+    "azure.platformlogs.statusCode": "keyword",
+    "azure.platformlogs.properties.accountName": "keyword"
   },
    "logs-o365.audit-*": {
      "o365.audit.ExtendedProperties.RequestType": "keyword",

rules/integrations/aws/initial_access_signin_console_login_federated_user.toml

@@ -0,0 +1,131 @@
+[metadata]
+creation_date = "2024/08/19"
+integration = ["aws"]
+maturity = "production"
+updated_date = "2025/10/09"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies when a federated user logs into the AWS Management Console. Federated users are typically given temporary
+credentials to access AWS services. If a federated user logs into the AWS Management Console without using MFA, it may
+indicate a security risk, as MFA adds an additional layer of security to the authentication process. However, CloudTrail
+does not record whether a Federated User utilized MFA as part of authentication — that MFA decision often occurs at a
+third-party IdP (e.g., Okta, Azure AD, Google). As a result, CloudTrail fields such as MFAUsed / mfaAuthenticated appear
+as “No/false” for federated console logins even if IdP MFA was required. This alert should be correlated with IdP
+authentication logs to verify whether MFA was enforced for the session. Increase priority if you find a related
+"GetSigninToken" event whose source IP / ASN / geo or user-agent differs from the subsequent "ConsoleLogin" (possible
+token relay/abuse). Same-IP/UA pairs within a short window are more consistent with expected operator behavior and can
+be triaged with lower severity.
+"""
+from = "now-6m"
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "AWS Sign-In Console Login with Federated User"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating AWS Sign-In Console Login with Federated User
+
+Federated users in AWS are granted temporary credentials to access resources, often without the need for a permanent account. This setup is convenient but can be risky if not properly secured with multi-factor authentication (MFA). Adversaries might exploit this by using stolen or misconfigured credentials to gain unauthorized access. CloudTrail alone cannot reliably indicate MFA usage for federated logins. This rule surfaces potentially risky access for analyst review and IdP correlation.
+
+### Possible investigation steps
+
+- **Identify the prinicipal involved**
+  - `aws.cloudtrail.user_identity.arn` (federated session ARN)
+  - `aws.cloudtrail.user_identity.session_context.session_issuer.*` (role ARN/name, account) of the identity that created the federated session.
+- **Investigate the source context**
+  - examine `source.ip`, ASN, `geo` fields, and `user_agent.original`
+  - Compare against normal IP ranges, known user-agents and expected locations for this identity
+#### Correlate to raise/lower priority
+- **Check IdP MFA:** Find the corresponding IdP login around the same time and verify MFA was required and passed. If IdP shows **no MFA**, raise severity.
+- **Federation token pivot:** Look for a nearby `signin.amazonaws.com` `GetSigninToken` API call.
+  - **More suspicious:** token creation and console login from different public IPs/ASNs/geo fields.
+  - **Less suspicious:** same IP and expected user agents within ~10–15 minutes (typical operator behavior).
+- **Rareness/anomaly signals:** new/rare role or session issuer, rare source IP/ASN/geo, unusual time-of-day, multiple ConsoleLogin events from disparate networks in a short window.
+- Review recent activity associated with the federated user to identify any unusual or unauthorized actions that may have occurred following the login event.
+- Assess the configuration and policies of the Identity Provider (IdP) used for federated access to ensure MFA is enforced and properly configured for all users.
+
+### Related rules
+- AWS Sign-In Token Created - f754e348-f36f-4510-8087-d7f29874cc12
+
+### False positive analysis
+- Organizations using SSO for console access will routinely see federated `ConsoleLogin` where CloudTrail shows `MFAUsed: "No"` — this is expected due to IdP-side MFA.
+- Internal tools/automation that create federation links (`GetSigninToken`) for operators.
+- Maintain allow-lists for corp/VPN CIDRs, approved ASNs, and known automation user-agents.
+
+### Response and remediation
+- If IdP confirms MFA and the source context is expected: document and close.
+- If IdP shows no MFA or context is suspicious:
+  - Notify the security team and relevant stakeholders about the potential security breach to ensure coordinated response efforts.
+  - Disable/lock the IdP account pending review; invalidate IdP sessions if supported.
+  - Temporarily restrict access (e.g., SCPs, session policies, IP-based conditions).
+  - Conduct a thorough review of AWS CloudTrail logs to identify any suspicious activities or unauthorized access attempts associated with both the intitiating user and the federated user account.
+  - Hunt for a preceding `GetSigninToken` from a different IP/ASN/UA (possible token relay).
+  - Ensure IdP policy enforces MFA for AWS app access; re-verify role trust and least-privilege policies.
+- Implement or enforce multi-factor authentication (MFA) for all federated user accounts to enhance security and prevent similar incidents in the future.
+- Review and update IAM policies and roles associated with federated users to ensure they follow the principle of least privilege.
+"""
+references = ["https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/"]
+risk_score = 47
+rule_id = "1f45720e-5ea8-11ef-90d2-f661ea17fbce"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Data Source: Amazon Web Services",
+    "Data Source: AWS",
+    "Data Source: AWS Sign-In",
+    "Use Case: Identity and Access Audit",
+    "Tactic: Initial Access",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset: "aws.cloudtrail" and 
+    event.provider: "signin.amazonaws.com" and 
+    event.action : "ConsoleLogin" and 
+    aws.cloudtrail.user_identity.type: "FederatedUser" and
+    event.outcome: "success"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+[[rule.threat.technique.subtechnique]]
+id = "T1078.004"
+name = "Cloud Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/004/"
+
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user_agent.original",
+    "source.ip",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.session_context.session_issuer.arn",
+    "aws.cloudtrail.user_identity.session_context.session_issuer.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "event.action",
+    "event.outcome",
+    "cloud.account.id",
+    "cloud.region",
+]
+