Skip to content

Commit 90ee151

Browse files
imays11imays11
authored
[Tuning] AWS Access Token Used from Multiple Addresses (#5055)
* [Tuning] AWS Access Token Used from Multiple Addresses Tuning was triggered by a community member - fixes wildcard and `Pulumi` typos to exclude common IaC tools - adds exclusion for ``source.as.organization.name` == "AMAZON-02" and aws.cloudtrail.event_category == "Data"` to exclude the noisy multi-IP traffic coming from Amazon-02 networks performing high-throughput data-plane operations. I didn't exclude this network completely because this network can also indicate user-triggered events that are worth keeping in the alert. - added additional high noise service providers that may be more indicative of console browsing - added a field for pairing source.ip & network - added highlighted fields * Update rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml * Update rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml
1 parent 88d9811 commit 90ee151

File tree

1 file changed

+38
-7
lines changed

1 file changed

+38
-7
lines changed

rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml

Lines changed: 38 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
creation_date = "2025/04/11"
33
integration = ["aws"]
44
maturity = "production"
5-
updated_date = "2025/07/16"
5+
updated_date = "2025/09/02"
66

77
[rule]
88
author = ["Elastic"]
@@ -86,16 +86,20 @@ from logs-aws.cloudtrail* metadata _id, _version, _index
8686
and aws.cloudtrail.user_identity.arn is not null
8787
and aws.cloudtrail.user_identity.type == "IAMUser"
8888
and source.ip is not null
89+
and aws.cloudtrail.user_identity.access_key_id is not null
8990
and not (
90-
user_agent.original like "%Terraform%" or
91-
user_agent.original like "%Ansible%" or
92-
user_agent.original like "%Pulumni%"
91+
user_agent.original like "*Terraform*" or
92+
user_agent.original like "*Ansible*" or
93+
user_agent.original like "*Pulumi*"
9394
)
9495
and `source.as.organization.name` != "AMAZON-AES"
96+
and not ((
97+
`source.as.organization.name` == "AMAZON-02" and aws.cloudtrail.event_category == "Data"))
9598
and event.provider not in (
9699
"health.amazonaws.com", "monitoring.amazonaws.com", "notifications.amazonaws.com",
97100
"ce.amazonaws.com", "cost-optimization-hub.amazonaws.com",
98-
"servicecatalog-appregistry.amazonaws.com", "securityhub.amazonaws.com"
101+
"servicecatalog-appregistry.amazonaws.com", "securityhub.amazonaws.com",
102+
"account.amazonaws.com", "budgets.amazonaws.com", "freetier.amazonaws.com"
99103
)
100104
101105
| eval
@@ -108,8 +112,9 @@ from logs-aws.cloudtrail* metadata _id, _version, _index
108112
Esql.source_ip_user_agent_pair = concat(Esql.source_ip_string, " - ", user_agent.original),
109113
Esql.source_ip_city_pair = concat(Esql.source_ip_string, " - ", source.geo.city_name),
110114
Esql.source_geo_city_name = source.geo.city_name,
111-
Esql.event_timestamp = @timestamp,
112-
Esql.source_network_org_name = `source.as.organization.name`
115+
Esql.source_network_org_name = `source.as.organization.name`,
116+
Esql.source_ip_network_pair = concat(Esql.source_ip_string, "-", `source.as.organization.name`),
117+
Esql.event_timestamp = @timestamp
113118
114119
| stats
115120
Esql.event_action_values = values(event.action),
@@ -122,6 +127,7 @@ from logs-aws.cloudtrail* metadata _id, _version, _index
122127
Esql.source_geo_city_name_values = values(Esql.source_geo_city_name),
123128
Esql.source_ip_city_pair_values = values(Esql.source_ip_city_pair),
124129
Esql.source_network_org_name_values = values(Esql.source_network_org_name),
130+
Esql.source_ip_network_pair_values = values(Esql.source_ip_network_pair),
125131
Esql.source_ip_count_distinct = count_distinct(Esql.source_ip),
126132
Esql.user_agent_original_count_distinct = count_distinct(Esql.user_agent_original),
127133
Esql.source_geo_city_name_count_distinct = count_distinct(Esql.source_geo_city_name),
@@ -165,6 +171,7 @@ from logs-aws.cloudtrail* metadata _id, _version, _index
165171
Esql.source_geo_city_name_values,
166172
Esql.source_ip_city_pair_values,
167173
Esql.source_network_org_name_values,
174+
Esql.source_ip_network_pair_values,
168175
Esql.source_ip_count_distinct,
169176
Esql.user_agent_original_count_distinct,
170177
Esql.source_geo_city_name_count_distinct,
@@ -173,6 +180,30 @@ from logs-aws.cloudtrail* metadata _id, _version, _index
173180
| where Esql.activity_type != "normal_activity"
174181
'''
175182

183+
[rule.investigation_fields]
184+
field_names = [
185+
"Esql.timestamp_first_seen",
186+
"Esql.timestamp_last_seen",
187+
"Esql.activity_type",
188+
"Esql.activity_fidelity_score",
189+
"Esql.event_count",
190+
"Esql.aws_cloudtrail_user_identity_arn_values",
191+
"Esql.aws_cloudtrail_user_identity_access_key_id_values",
192+
"Esql.event_action_values",
193+
"Esql.event_provider_values",
194+
"Esql.source_ip_values",
195+
"Esql.user_agent_original_values",
196+
"Esql.source_ip_user_agent_pair_values",
197+
"Esql.source_geo_city_name_values",
198+
"Esql.source_ip_city_pair_values",
199+
"Esql.source_network_org_name_values",
200+
"Esql.source_ip_network_pair_values",
201+
"Esql.source_ip_count_distinct",
202+
"Esql.user_agent_original_count_distinct",
203+
"Esql.source_geo_city_name_count_distinct",
204+
"Esql.source_network_org_name_count_distinct"
205+
]
206+
176207

177208
[[rule.threat]]
178209
framework = "MITRE ATT&CK"

0 commit comments

Comments
 (0)