[Rule Tuning] AWS Access Token Used from Multiple Addresses

imays11 · imays11 · commit fa712ebd048d · 2025-12-04T17:23:04.000-05:00
This rule is extremely loud in telemetry ~2612 alerts in last 24 hours. There have also been a couple community requests for changes.
- reduced the scope of the alerts to only surface the "high" fidelity_score cases for `"multiple_ip_network_city"` or `"multiple_ip_network_city_user_agent"` criteria. This reduced telemetry by ~90%
- excluded 2 more benign service providers `support` which reduced volume by another 6%.
- added the `data_stream.namespace` field as requested.
- kept the rest of the rule logic visible so that if customers would like to broaden the scope of this rule again, they can duplicate the rules and revert back to the broader condition `Esql.activity_type != "normal_activity"`. This has been included as a comment in the rule query.

I will keep an eye on this rule in telemetry to determine it's value moving forward.
diff --git a/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml b/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/04/11"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/09/02"
+updated_date = "2025/12/04"
 
 [rule]
 author = ["Elastic"]
@@ -99,7 +99,8 @@ from logs-aws.cloudtrail* metadata _id, _version, _index
     "health.amazonaws.com", "monitoring.amazonaws.com", "notifications.amazonaws.com",
     "ce.amazonaws.com", "cost-optimization-hub.amazonaws.com",
     "servicecatalog-appregistry.amazonaws.com", "securityhub.amazonaws.com", 
-    "account.amazonaws.com", "budgets.amazonaws.com", "freetier.amazonaws.com"
+    "account.amazonaws.com", "budgets.amazonaws.com", "freetier.amazonaws.com", "support.amazonaws.com",
+    "support-console.amazonaws.com"
   )
 
 | eval
@@ -114,7 +115,8 @@ from logs-aws.cloudtrail* metadata _id, _version, _index
   Esql.source_geo_city_name = source.geo.city_name,
   Esql.source_network_org_name = `source.as.organization.name`,
   Esql.source_ip_network_pair = concat(Esql.source_ip_string, "-", `source.as.organization.name`),
-  Esql.event_timestamp = @timestamp
+  Esql.event_timestamp = @timestamp,
+  Esql.data_stream_namespace = data_stream.namespace
 
 | stats
   Esql.event_action_values = values(event.action),
@@ -132,6 +134,7 @@ from logs-aws.cloudtrail* metadata _id, _version, _index
   Esql.user_agent_original_count_distinct = count_distinct(Esql.user_agent_original),
   Esql.source_geo_city_name_count_distinct = count_distinct(Esql.source_geo_city_name),
   Esql.source_network_org_name_count_distinct = count_distinct(Esql.source_network_org_name),
+  Esql.data_stream_namespace_values = values(Esql.data_stream_namespace),
   Esql.timestamp_first_seen = min(Esql.event_timestamp),
   Esql.timestamp_last_seen = max(Esql.event_timestamp),
   Esql.event_count = count()
@@ -175,9 +178,10 @@ from logs-aws.cloudtrail* metadata _id, _version, _index
   Esql.source_ip_count_distinct,
   Esql.user_agent_original_count_distinct,
   Esql.source_geo_city_name_count_distinct,
-  Esql.source_network_org_name_count_distinct
+  Esql.source_network_org_name_count_distinct,
+  Esql.data_stream_namespace_values
 
-| where Esql.activity_type != "normal_activity"
+| where Esql.activity_fidelity_score == "high"
 '''
 
 [rule.investigation_fields]
@@ -201,7 +205,8 @@ field_names = [
       "Esql.source_ip_count_distinct",
       "Esql.user_agent_original_count_distinct",
       "Esql.source_geo_city_name_count_distinct",
-      "Esql.source_network_org_name_count_distinct"
+      "Esql.source_network_org_name_count_distinct",
+      "Esql.data_stream_namespace_values"
 ]
 
 
