You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: rules/integrations/aws/initial_access_signin_console_login_federated_user.toml
+29-24Lines changed: 29 additions & 24 deletions
Original file line number
Diff line number
Diff line change
@@ -7,13 +7,16 @@ updated_date = "2025/10/09"
7
7
[rule]
8
8
author = ["Elastic"]
9
9
description = """
10
-
Identifies when a federated user logs into the AWS Management Console. Federated users are typically given temporary credentials to access AWS services. If a federated user logs into the AWS Management Console without using MFA, it may indicate a security risk, as MFA adds an additional layer of security to the authentication process.
11
-
12
-
However, CloudTrail does not record whether a Federated User utilized MFA as part of authentication — that MFA decision often occurs at a third-party IdP (e.g., Okta, Azure AD, Google). As a result, CloudTrail fields such as MFAUsed / mfaAuthenticated appear as “No/false” for federated console logins even if IdP MFA was required.
13
-
14
-
This alert should be correlated with IdP authentication logs to verify whether MFA was enforced
15
-
for the session. Increase priority if you find a related "GetSigninToken" event whose source IP / ASN / geo
16
-
or user-agent differs from the subsequent "ConsoleLogin" (possible token relay/abuse). Same-IP/UA pairs within a short window are more consistent with expected operator behavior and can be triaged with lower severity.
10
+
Identifies when a federated user logs into the AWS Management Console. Federated users are typically given temporary
11
+
credentials to access AWS services. If a federated user logs into the AWS Management Console without using MFA, it may
12
+
indicate a security risk, as MFA adds an additional layer of security to the authentication process. However, CloudTrail
13
+
does not record whether a Federated User utilized MFA as part of authentication — that MFA decision often occurs at a
14
+
third-party IdP (e.g., Okta, Azure AD, Google). As a result, CloudTrail fields such as MFAUsed / mfaAuthenticated appear
15
+
as “No/false” for federated console logins even if IdP MFA was required. This alert should be correlated with IdP
16
+
authentication logs to verify whether MFA was enforced for the session. Increase priority if you find a related
17
+
"GetSigninToken" event whose source IP / ASN / geo or user-agent differs from the subsequent "ConsoleLogin" (possible
18
+
token relay/abuse). Same-IP/UA pairs within a short window are more consistent with expected operator behavior and can
Copy file name to clipboardExpand all lines: rules_building_block/initial_access_aws_signin_token_created.toml
+28-20Lines changed: 28 additions & 20 deletions
Original file line number
Diff line number
Diff line change
@@ -9,11 +9,16 @@ updated_date = "2025/10/09"
9
9
author = ["Elastic"]
10
10
building_block_type = "default"
11
11
description = """
12
-
Captures requests to the AWS federation endpoint (signin.amazonaws.com) for GetSigninToken. This API exchanges existing temporary AWS credentials (e.g., from STS GetFederationToken or AssumeRole) for a short-lived sign-in token that is embedded in a one-click URL to the AWS Management Console. It is commonly used by custom federation tools and automation to pivot from programmatic access to a browser session. This is a building block rule meant to be used for correlation with other rules to detect suspicious activity.
12
+
Captures requests to the AWS federation endpoint (signin.amazonaws.com) for GetSigninToken. This API exchanges existing
13
+
temporary AWS credentials (e.g., from STS GetFederationToken or AssumeRole) for a short-lived sign-in token that is
14
+
embedded in a one-click URL to the AWS Management Console. It is commonly used by custom federation tools and automation
15
+
to pivot from programmatic access to a browser session. This is a building block rule meant to be used for correlation
16
+
with other rules to detect suspicious activity.
13
17
"""
14
18
false_positives = [
15
19
"""
16
-
Legitimate federation workflows, admin portals, SSO helpers, CI/CD jobs, or internal scripts that create one-click console links, commonly invoke GetSigninToken and may generate frequent benign events.
20
+
Legitimate federation workflows, admin portals, SSO helpers, CI/CD jobs, or internal scripts that create one-click
21
+
console links, commonly invoke GetSigninToken and may generate frequent benign events.
0 commit comments