From 2d2ef5f5b15383fc6a42e7f454a3a16fca827220 Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Mon, 6 Apr 2026 14:30:19 -0400 Subject: [PATCH] Revert "[New Rules] AWS IAM Long-Term Creds Abuse Coverage (#5918)" (#5923) This reverts commit a6d31d7dfd296e71e2f71e45ccbb78abf20ec311. --- ...elated_with_elevated_detection_alerts.toml | 179 ------------------ ..._access_key_first_seen_from_source_ip.toml | 149 --------------- 2 files changed, 328 deletions(-) delete mode 100644 rules/integrations/aws/credential_access_iam_long_term_access_key_correlated_with_elevated_detection_alerts.toml delete mode 100644 rules/integrations/aws/credential_access_iam_long_term_access_key_first_seen_from_source_ip.toml diff --git a/rules/integrations/aws/credential_access_iam_long_term_access_key_correlated_with_elevated_detection_alerts.toml b/rules/integrations/aws/credential_access_iam_long_term_access_key_correlated_with_elevated_detection_alerts.toml deleted file mode 100644 index 7e11d5905..000000000 --- a/rules/integrations/aws/credential_access_iam_long_term_access_key_correlated_with_elevated_detection_alerts.toml +++ /dev/null @@ -1,179 +0,0 @@ -[metadata] -creation_date = "2026/04/03" -integration = ["aws"] -maturity = "production" -updated_date = "2026/04/03" - -[rule] -author = ["Elastic"] -description = """ -Correlates open detection alerts that share the same long-term IAM access key ID ( prefix AKIA). It fires when the rule -AWS Long-Term Access Key First Seen from Source IP (rule_id: 9f8e3c5e-f72e-4e91-93f6-e98a4fae3e4f) has triggered for -that key and at least one other open alert for the same key is medium, high, or critical severity. This higher-order -rule helps prioritize long-term key novelty when it co-occurs with elevated detections that may indicate post-compromise -activity. -""" -false_positives = [ - """ - The same automation identity may legitimately trigger a first-seen-IP alert and unrelated medium-or-higher findings - in the same window (for example, a noisy compliance rule). Review sibling `kibana.alert.rule.name` values, rule - tags, and CloudTrail context for the access key before escalating. - """, -] -from = "now-6m" -language = "esql" -license = "Elastic License v2" -name = "AWS IAM Long-Term Access Key Correlated with Elevated Detection Alerts" -note = """## Triage and analysis - -### Investigating AWS IAM Long-Term Access Key Correlated with Elevated Detection Alerts - -This is a [higher-order](https://www.elastic.co/guide/en/security/current/rules-ui-create.html) rule. It evaluates **open** signals in `.alerts-security.*` grouped by -`aws.cloudtrail.user_identity.access_key_id`. A match requires: - -1. At least one alert from **AWS Long-Term Access Key First Seen from Source IP** (`kibana.alert.rule.rule_id` **9f8e3c5e-f72e-4e91-93f6-e98a4fae3e4f**). -2. At least one **different** alert on the **same access key** with **medium or higher** severity, implemented as - `kibana.alert.risk_score >= 47` or `kibana.alert.severity` in `medium`, `high`, or `critical`. - -### Possible investigation steps - -- **`Esql.alert_count_long_term_key_new_ip_rule`**: Confirm the first-seen-IP rule contributed to the correlation. -- **`Esql.alert_count_other_elevated`**: Count of sibling alerts meeting the elevated threshold (excluding the long-term-key new-IP rule). -- **`Esql.kibana_alert_rule_name_values`** / **`Esql.kibana_alert_rule_id_values`**: Identify which rules fired; map tactics and whether activity looks like post-compromise follow-through. -- **`aws.cloudtrail.user_identity.access_key_id`**: Pivot in CloudTrail and IAM (last used, attached policies, user or root context). -- **`Esql.aws_cloudtrail_user_identity_arn_values`**, **`Esql.source_ip_values`**: Reconstruct session context across alerts. - -### False positive analysis - -- Overlapping scheduled jobs, penetration tests, or purple-team runs that reuse the same IAM access key across many detectors. -- Custom rules calibrated with **medium** severity but **low** risk scores still qualify via `kibana.alert.severity`. - -### Response and remediation - -- Treat as elevated priority versus the standalone first-seen-IP rule: rotate or disable the access key if abuse is suspected, - scope CloudTrail for the key, and review open sibling alerts to closure. - -### Additional information - -- Default risk score to severity mapping in Elastic Security is commonly **21** low, **47** medium, **73** high, **99** critical; confirm in your deployment if customized. - -""" -references = [ - "https://kudelskisecurity.com/research/investigating-two-variants-of-the-trivy-supply-chain-compromise", -] -risk_score = 73 -rule_id = "98cfaa44-83f0-4aba-90c4-363fb9d51a75" -severity = "high" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS CloudTrail", - "Data Source: AWS IAM", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Initial Access", - "Resources: Investigation Guide", - "Rule Type: Higher-Order Rule", -] -timestamp_override = "event.ingested" -type = "esql" - -query = ''' -from .alerts-security.* METADATA _id, _version, _index - -// Sibling rule: AWS Long-Term Access Key First Seen from Source IP -// rule_id = 9f8e3c5e-f72e-4e91-93f6-e98a4fae3e4f - -| where kibana.alert.workflow_status == "open" - and event.kind == "signal" - and source.ip is not null - and kibana.alert.rule.name is not null - and not kibana.alert.rule.type in ("threat_match", "machine_learning") - and not kibana.alert.rule.name like "Deprecated - *" - and not KQL("""kibana.alert.rule.tags : "Rule Type: Higher-Order Rule" """) - and ( - kibana.alert.rule.rule_id == "9f8e3c5e-f72e-4e91-93f6-e98a4fae3e4f" - or kibana.alert.risk_score >= 47 - or kibana.alert.severity in ("medium", "high", "critical") - ) - -| eval Esql.is_long_term_key_new_ip_rule = kibana.alert.rule.rule_id == "9f8e3c5e-f72e-4e91-93f6-e98a4fae3e4f" -| eval Esql.is_other_elevated_rule = kibana.alert.rule.rule_id != "9f8e3c5e-f72e-4e91-93f6-e98a4fae3e4f" - and ( - kibana.alert.risk_score >= 47 - or kibana.alert.severity in ("medium", "high", "critical") - ) - -| stats - Esql.alert_count_long_term_key_new_ip_rule = SUM(CASE(Esql.is_long_term_key_new_ip_rule, 1, 0)), - Esql.alert_count_other_elevated_rule = SUM(CASE(Esql.is_other_elevated_rule, 1, 0)), - Esql.kibana_alert_rule_name_values = VALUES(kibana.alert.rule.name), - Esql.kibana_alert_rule_id_values = VALUES(kibana.alert.rule.rule_id), - Esql.kibana_alert_risk_score_values = VALUES(kibana.alert.risk_score), - Esql.kibana_alert_severity_values = VALUES(kibana.alert.severity), - Esql.user_entity_id_values = VALUES(user.entity.id), - Esql.timestamp_min = MIN(@timestamp), - Esql.timestamp_max = MAX(@timestamp) - by source.ip - -| where Esql.alert_count_long_term_key_new_ip_rule > 0 - and Esql.alert_count_other_elevated_rule > 0 - -| keep - source.ip, - Esql.alert_count_long_term_key_new_ip_rule, - Esql.alert_count_other_elevated_rule, - Esql.kibana_alert_rule_name_values, - Esql.kibana_alert_rule_id_values, - Esql.kibana_alert_risk_score_values, - Esql.kibana_alert_severity_values, - Esql.user_entity_id_values, - Esql.timestamp_min, - Esql.timestamp_max -''' - - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" - - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - -[rule.investigation_fields] -field_names = [ - "source.ip", - "Esql.user_entity_id_values", - "Esql.alert_count_long_term_key_new_ip_rule", - "Esql.alert_count_other_elevated_rule", - "Esql.kibana_alert_rule_name_values", - "Esql.kibana_alert_rule_id_values", - "Esql.kibana_alert_risk_score_values", - "Esql.kibana_alert_severity_values", - "Esql.timestamp_min", - "Esql.timestamp_max", -] - diff --git a/rules/integrations/aws/credential_access_iam_long_term_access_key_first_seen_from_source_ip.toml b/rules/integrations/aws/credential_access_iam_long_term_access_key_first_seen_from_source_ip.toml deleted file mode 100644 index d3e20c9c7..000000000 --- a/rules/integrations/aws/credential_access_iam_long_term_access_key_first_seen_from_source_ip.toml +++ /dev/null @@ -1,149 +0,0 @@ -[metadata] -creation_date = "2026/04/03" -integration = ["aws"] -maturity = "production" -updated_date = "2026/04/03" - -[rule] -author = ["Elastic"] -description = """ -Identifies the first time, within the configured history window, that a long-term IAM access key ID (prefix AKIA) is -used successfully from a given source.ip in AWS CloudTrail. Long-term access keys belong to IAM users or the account -root user. They are a common target after credential theft or leakage, including supply-chain and exposed-key scenarios. -Temporary security credentials (prefix ASIA) and console sessions are excluded so the signal emphasizes programmatic -access patterns. -""" -false_positives = [ - """ - Legitimate users may travel, rotate through VPN egress IPs, or run automation from new build hosts, producing a - first-seen IP for an existing access key. Baseline the principal, confirm with the key owner, and extend the history - window or add exceptions for known automation networks if needed. - """, -] -from = "now-6m" -index = ["logs-aws.cloudtrail-*"] -language = "kuery" -license = "Elastic License v2" -name = "AWS IAM Long-Term Access Key First Seen from Source IP" -note = """## Triage and analysis - -### Investigating AWS IAM Long-Term Access Key First Seen from Source IP - -This rule is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) detection on CloudTrail. It fires when a successful API call uses a long-term IAM access key (`AKIA*`) from a `source.ip` that has not appeared with that key in the rule history window. - -Long-term keys are high-value targets. Unlike session credentials (`ASIA*`), they do not expire until rotated or deleted. Threat reporting on cloud compromises often highlights abuse of leaked or stolen `AKIA` keys. - -### Possible investigation steps - -**Confirm the key and principal** -- Identify the IAM user or root context implied by `aws.cloudtrail.user_identity.arn` or `user.name`. -- **`aws.cloudtrail.user_identity.type`**: Distinguish `IAMUser`, `Root`, or other types; root long-term keys warrant extra scrutiny. - -**Assess the new source** -- **`source.ip`** and **`source.geo`**: Compare to normal geography, corporate egress, and known cloud provider ranges. -- **`user_agent.original`**: Identify AWS CLI, SDKs, custom tooling, or unusual agents. - -**Correlate activity** -- Search CloudTrail for the same access key and IP over the following hours for sensitive APIs (IAM changes, STS, S3 data access, Secrets Manager, role assumption). -- Review IAM last-used metadata for the key in the AWS console or API (`GetAccessKeyLastUsed`). - -### False positive analysis - -- Travel and VP* for human IAM users. -- New CI runners, ephemeral build agents, or re-IP'd NAT gateways for automation keys. -- Partner or MSP access from new networks if keys are shared (discouraged practice). - -### Response and remediation - -- If unexpected, deactivate or delete the access key, rotate credentials, and review policies attached to the user. -- Enable or enforce MFA for console users; prefer roles and temporary credentials over long-term keys for workloads. -- Document approved networks or principals and tune history or exceptions accordingly. - -### Additional information - -- [AWS Security Incident Response Guide](https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/aws-security-incident-response-guide.pdf) - -""" -references = [ - "https://kudelskisecurity.com/research/investigating-two-variants-of-the-trivy-supply-chain-compromise", -] -risk_score = 47 -rule_id = "9f8e3c5e-f72e-4e91-93f6-e98a4fae3e4f" -severity = "medium" -tags = [ - "Domain: Cloud", - "Data Source: AWS", - "Data Source: Amazon Web Services", - "Data Source: AWS CloudTrail", - "Data Source: AWS IAM", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Tactic: Initial Access", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "new_terms" - -query = ''' -event.dataset: "aws.cloudtrail" - and event.outcome: "success" - and source.ip:* - and aws.cloudtrail.user_identity.access_key_id: AKIA* -''' - - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1552" -name = "Unsecured Credentials" -reference = "https://attack.mitre.org/techniques/T1552/" - - -[rule.threat.tactic] -id = "TA0006" -name = "Credential Access" -reference = "https://attack.mitre.org/tactics/TA0006/" - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1078" -name = "Valid Accounts" -reference = "https://attack.mitre.org/techniques/T1078/" -[[rule.threat.technique.subtechnique]] -id = "T1078.004" -name = "Cloud Accounts" -reference = "https://attack.mitre.org/techniques/T1078/004/" - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" - -[rule.investigation_fields] -field_names = [ - "@timestamp", - "user.name", - "user_agent.original", - "source.ip", - "source.geo.city_name", - "source.geo.country_iso_code", - "source.as.organization.name", - "aws.cloudtrail.user_identity.arn", - "aws.cloudtrail.user_identity.type", - "aws.cloudtrail.user_identity.access_key_id", - "event.action", - "event.outcome", - "cloud.account.id", - "cloud.region", -] - -[rule.new_terms] -field = "new_terms_fields" -value = ["aws.cloudtrail.user_identity.access_key_id", "source.ip"] -[[rule.new_terms.history_window_start]] -field = "history_window_start" -value = "now-10d" - -