heroui logo

AWS STS GetCallerIdentity API Called for the First Time

Elastic Detection Rules

View Source
Summary
This detection rule identifies instances where an AWS Identity has invoked the STS `GetCallerIdentity` API operation for the first time in the last 15 days, which raises concerns of potential credential compromise. In a legitimate context, users already know their account identity and would typically not need to make this call. The rule employs query parameters such as log dataset attributes to analyze calls made to the AWS Security Token Service by monitoring the specific event types associated with this operation. By establishing a 15-day historical threshold, the rule aims to filter out repeated, legitimate usage while flagging anomalous patterns that could indicate an adversary attempting to validate stolen credentials. A focus on the first invocation within the specified timeframe offers a clear entry point for identifying compromised security practices within AWS environments. Investigation steps include examining the roles associated with user accounts, analyzing user agent strings, and evaluating IP addresses tied to the API calls to ascertain the legitimacy of the actions taken. Additionally, high false positive rates may necessitate user and contextual whitelisting to fine-tune sensitivity without compromising security vigilance.
Categories
  • Cloud
  • AWS
Data Sources
  • Cloud Service
  • Network Traffic
  • Application Log
  • Process
ATT&CK Techniques
  • T1087
  • T1087.004
Created: 2024-05-24