tuning 'AWS STS Temporary Credentials via AssumeRole'

terrancedejesus · terrancedejesus · commit c8d811f46fd3 · 2024-11-01T12:40:59.000-04:00
diff --git a/rules/integrations/aws/privilege_escalation_sts_temp_creds_via_assume_role.toml b/rules/integrations/aws/privilege_escalation_sts_temp_creds_via_assume_role.toml
@@ -2,7 +2,7 @@
 creation_date = "2021/05/17"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2024/07/23"
+updated_date = "2024/11/01"
 
 
 [rule]
@@ -42,11 +42,17 @@ timestamp_override = "event.ingested"
 type = "new_terms"
 
 query = '''
-event.dataset:aws.cloudtrail
-    and event.provider:sts.amazonaws.com
-    and event.action:AssumeRole*
-    and event.outcome:success
-    and user.id:*
+event.dataset: "aws.cloudtrail"
+    and event.provider: "sts.amazonaws.com"
+    and event.action: "AssumeRole"
+    and event.outcome: "success"
+    and not (aws.cloudtrail.user_identity.invoked_by: (
+                "config.amazonaws.com" OR
+                "securityhub.amazonaws.com" OR
+                "sso.amazonaws.com"
+                )
+            )
+    and not (aws.cloudtrail.resources.arn: (*Amazon* OR *AWS* OR *Elastic* OR *Wiz* OR *DataDog*))
 '''
 
 
@@ -82,7 +88,7 @@ reference = "https://attack.mitre.org/tactics/TA0008/"
 
 [rule.new_terms]
 field = "new_terms_fields"
-value = ["user.id", "aws.cloudtrail.flattened.request_parameters.roleArn"]
+value = ["aws.cloudtrail.resources.arn", "aws.cloudtrail.user_identity.invoked_by"]
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
 value = "now-10d"
