heroui logo

First Occurrence of STS GetFederationToken Request by User

Elastic Detection Rules

View Source
Summary
This rule is designed to detect the first occurrence of an AWS Security Token Service (STS) `GetFederationToken` request made by a user within a 10-day period. The `GetFederationToken` API call provides users with temporary security credentials necessary for accessing various AWS resources. While this functionality is legitimate for authorized users, attackers could exploit it to gain unauthorized access to resources that they normally wouldn't be able to access. The rule examines AWS CloudTrail logs for instances where the event provider is `sts.amazonaws.com` and the action is `GetFederationToken`, ensuring that the requests are investigated to uncover any potential misuse indicating defense evasion tactics. It includes thorough triage guidelines, suggesting steps such as reviewing user behavior, validating access logs, and examining the sources of requests to identify unusual patterns that may signify a security threat. Additionally, potential false positives are addressed, advising on how to manage routine administrative use and clarify legitimate requests from new users or automated systems. Response and remediation actions are also outlined, emphasizing immediate revocation of temporary credentials and comprehensive investigations into any suspicious activities related to the requests.
Categories
  • Cloud
  • AWS
Data Sources
  • Cloud Storage
  • Network Traffic
  • Application Log
ATT&CK Techniques
  • T1550
  • T1550.001
Created: 2024-08-19