diff --git a/rules/integrations/aws/initial_access_signin_console_login_federated_user.toml b/rules/integrations/aws/initial_access_signin_console_login_federated_user.toml
new file mode 100644
index 000000000..47d7323bc
--- /dev/null
+++ b/rules/integrations/aws/initial_access_signin_console_login_federated_user.toml
@@ -0,0 +1,131 @@
+[metadata]
+creation_date = "2024/08/19"
+integration = ["aws"]
+maturity = "production"
+updated_date = "2025/10/09"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies when a federated user logs into the AWS Management Console. Federated users are typically given temporary
+credentials to access AWS services. If a federated user logs into the AWS Management Console without using MFA, it may
+indicate a security risk, as MFA adds an additional layer of security to the authentication process. However, CloudTrail
+does not record whether a Federated User utilized MFA as part of authentication — that MFA decision often occurs at a
+third-party IdP (e.g., Okta, Azure AD, Google). As a result, CloudTrail fields such as MFAUsed / mfaAuthenticated appear
+as “No/false” for federated console logins even if IdP MFA was required. This alert should be correlated with IdP
+authentication logs to verify whether MFA was enforced for the session. Increase priority if you find a related
+"GetSigninToken" event whose source IP / ASN / geo or user-agent differs from the subsequent "ConsoleLogin" (possible
+token relay/abuse). Same-IP/UA pairs within a short window are more consistent with expected operator behavior and can
+be triaged with lower severity.
+"""
+from = "now-6m"
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "AWS Sign-In Console Login with Federated User"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating AWS Sign-In Console Login with Federated User
+
+Federated users in AWS are granted temporary credentials to access resources, often without the need for a permanent account. This setup is convenient but can be risky if not properly secured with multi-factor authentication (MFA). Adversaries might exploit this by using stolen or misconfigured credentials to gain unauthorized access. CloudTrail alone cannot reliably indicate MFA usage for federated logins. This rule surfaces potentially risky access for analyst review and IdP correlation.
+
+### Possible investigation steps
+
+- **Identify the prinicipal involved**
+  - `aws.cloudtrail.user_identity.arn` (federated session ARN)
+  - `aws.cloudtrail.user_identity.session_context.session_issuer.*` (role ARN/name, account) of the identity that created the federated session.
+- **Investigate the source context**
+  - examine `source.ip`, ASN, `geo` fields, and `user_agent.original`
+  - Compare against normal IP ranges, known user-agents and expected locations for this identity
+#### Correlate to raise/lower priority
+- **Check IdP MFA:** Find the corresponding IdP login around the same time and verify MFA was required and passed. If IdP shows **no MFA**, raise severity.
+- **Federation token pivot:** Look for a nearby `signin.amazonaws.com` `GetSigninToken` API call.
+  - **More suspicious:** token creation and console login from different public IPs/ASNs/geo fields.
+  - **Less suspicious:** same IP and expected user agents within ~10–15 minutes (typical operator behavior).
+- **Rareness/anomaly signals:** new/rare role or session issuer, rare source IP/ASN/geo, unusual time-of-day, multiple ConsoleLogin events from disparate networks in a short window.
+- Review recent activity associated with the federated user to identify any unusual or unauthorized actions that may have occurred following the login event.
+- Assess the configuration and policies of the Identity Provider (IdP) used for federated access to ensure MFA is enforced and properly configured for all users.
+
+### Related rules
+- AWS Sign-In Token Created - f754e348-f36f-4510-8087-d7f29874cc12
+
+### False positive analysis
+- Organizations using SSO for console access will routinely see federated `ConsoleLogin` where CloudTrail shows `MFAUsed: "No"` — this is expected due to IdP-side MFA.
+- Internal tools/automation that create federation links (`GetSigninToken`) for operators.
+- Maintain allow-lists for corp/VPN CIDRs, approved ASNs, and known automation user-agents.
+
+### Response and remediation
+- If IdP confirms MFA and the source context is expected: document and close.
+- If IdP shows no MFA or context is suspicious:
+  - Notify the security team and relevant stakeholders about the potential security breach to ensure coordinated response efforts.
+  - Disable/lock the IdP account pending review; invalidate IdP sessions if supported.
+  - Temporarily restrict access (e.g., SCPs, session policies, IP-based conditions).
+  - Conduct a thorough review of AWS CloudTrail logs to identify any suspicious activities or unauthorized access attempts associated with both the intitiating user and the federated user account.
+  - Hunt for a preceding `GetSigninToken` from a different IP/ASN/UA (possible token relay).
+  - Ensure IdP policy enforces MFA for AWS app access; re-verify role trust and least-privilege policies.
+- Implement or enforce multi-factor authentication (MFA) for all federated user accounts to enhance security and prevent similar incidents in the future.
+- Review and update IAM policies and roles associated with federated users to ensure they follow the principle of least privilege.
+"""
+references = ["https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/"]
+risk_score = 47
+rule_id = "1f45720e-5ea8-11ef-90d2-f661ea17fbce"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Data Source: Amazon Web Services",
+    "Data Source: AWS",
+    "Data Source: AWS Sign-In",
+    "Use Case: Identity and Access Audit",
+    "Tactic: Initial Access",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset: "aws.cloudtrail" and 
+    event.provider: "signin.amazonaws.com" and 
+    event.action : "ConsoleLogin" and 
+    aws.cloudtrail.user_identity.type: "FederatedUser" and
+    event.outcome: "success"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+[[rule.threat.technique.subtechnique]]
+id = "T1078.004"
+name = "Cloud Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/004/"
+
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user_agent.original",
+    "source.ip",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.session_context.session_issuer.arn",
+    "aws.cloudtrail.user_identity.session_context.session_issuer.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "event.action",
+    "event.outcome",
+    "cloud.account.id",
+    "cloud.region",
+]
+
diff --git a/rules/integrations/aws/initial_access_signin_console_login_no_mfa.toml b/rules/integrations/aws/initial_access_signin_console_login_no_mfa.toml
deleted file mode 100644
index ca78ccf8c..000000000
--- a/rules/integrations/aws/initial_access_signin_console_login_no_mfa.toml
+++ /dev/null
@@ -1,114 +0,0 @@
-[metadata]
-creation_date = "2024/08/19"
-integration = ["aws"]
-maturity = "production"
-updated_date = "2025/07/16"
-
-[rule]
-author = ["Elastic"]
-description = """
-Identifies when a federated user logs into the AWS Management Console without using multi-factor authentication (MFA).
-Federated users are typically given temporary credentials to access AWS services. If a federated user logs into the AWS
-Management Console without using MFA, it may indicate a security risk, as MFA adds an additional layer of security to
-the authentication process. This could also indicate the abuse of STS tokens to bypass MFA requirements.
-"""
-from = "now-9m"
-language = "esql"
-license = "Elastic License v2"
-name = "AWS Signin Single Factor Console Login with Federated User"
-note = """## Triage and analysis
-
-> **Disclaimer**:
-> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
-
-### Investigating AWS Signin Single Factor Console Login with Federated User
-
-Federated users in AWS are granted temporary credentials to access resources, often without the need for a permanent account. This setup is convenient but can be risky if not properly secured with multi-factor authentication (MFA). Adversaries might exploit this by using stolen or misconfigured credentials to gain unauthorized access. The detection rule identifies instances where federated users log in without MFA, flagging potential security risks by analyzing specific AWS CloudTrail events and dissecting login data to check for the absence of MFA, thus helping to mitigate unauthorized access attempts.
-
-### Possible investigation steps
-
-- Review the AWS CloudTrail logs to confirm the event details, focusing on the event.provider, event.action, and aws.cloudtrail.user_identity.type fields to ensure the alert corresponds to a federated user login without MFA.
-- Identify the federated user involved by examining the aws.cloudtrail.user_identity.arn field to determine which user or service is associated with the login attempt.
-- Check the aws.cloudtrail.additional_eventdata field to verify the mfa_used value is "No" and assess if this is expected behavior for the identified user or service.
-- Investigate the source IP address and location of the login attempt to determine if it aligns with typical access patterns for the federated user.
-- Review recent activity associated with the federated user to identify any unusual or unauthorized actions that may have occurred following the login event.
-- Assess the configuration and policies of the Identity Provider (IdP) used for federated access to ensure MFA is enforced and properly configured for all users.
-
-### False positive analysis
-
-- Federated users with specific roles or permissions may frequently log in without MFA due to operational requirements. Review these roles and consider adding them to an exception list if they are deemed non-threatening.
-- Automated processes or scripts using federated credentials might trigger this rule if they are not configured to use MFA. Verify these processes and, if legitimate, exclude them from the rule to prevent unnecessary alerts.
-- Temporary testing or development accounts might be set up without MFA for convenience. Ensure these accounts are monitored and, if necessary, excluded from the rule to avoid false positives.
-- Third-party integrations or services that rely on federated access without MFA could be flagged. Assess these integrations and whitelist them if they are secure and necessary for business operations.
-- Users accessing AWS from secure, controlled environments might not use MFA as part of a risk-based authentication strategy. Evaluate the security of these environments and consider excluding them if they meet your organization's security standards.
-
-### Response and remediation
-
-- Immediately revoke the temporary credentials associated with the federated user account to prevent further unauthorized access.
-- Conduct a thorough review of AWS CloudTrail logs to identify any suspicious activities or unauthorized access attempts associated with the federated user account.
-- Notify the security team and relevant stakeholders about the potential security breach to ensure coordinated response efforts.
-- Implement or enforce multi-factor authentication (MFA) for all federated user accounts to enhance security and prevent similar incidents in the future.
-- Review and update IAM policies and roles associated with federated users to ensure they follow the principle of least privilege.
-- Escalate the incident to the incident response team if any malicious activities are detected, and initiate a full security investigation to assess the impact and scope of the breach.
-- Monitor AWS CloudTrail and other relevant logs closely for any further unauthorized access attempts or anomalies related to federated user accounts."""
-references = ["https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/"]
-risk_score = 47
-rule_id = "1f45720e-5ea8-11ef-90d2-f661ea17fbce"
-severity = "medium"
-tags = [
-    "Domain: Cloud",
-    "Data Source: Amazon Web Services",
-    "Data Source: AWS",
-    "Data Source: AWS Sign-In",
-    "Use Case: Threat Detection",
-    "Tactic: Initial Access",
-    "Resources: Investigation Guide",
-]
-timestamp_override = "event.ingested"
-type = "esql"
-
-query = '''
-from logs-aws.cloudtrail-* metadata _id, _version, _index
-
-| where
-    event.provider == "signin.amazonaws.com"
-    and event.action == "GetSigninToken"
-    and aws.cloudtrail.event_type == "AwsConsoleSignIn"
-    and aws.cloudtrail.user_identity.type == "FederatedUser"
-
-// Extract mobile version and MFA usage
-| dissect aws.cloudtrail.additional_eventdata
-    "{%{?mobile_version_key}=%{Esql.aws_cloudtrail_additional_eventdata_device_version}, %{?mfa_used_key}=%{Esql.aws_cloudtrail_additional_eventdata_auth_mfa_used}}"
-
-// Only keep events where MFA was not used
-| where Esql.aws_cloudtrail_additional_eventdata_auth_mfa_used == "No"
-
-// keep relevant ECS and dissected fields
-| keep
-    @timestamp,
-    event.action,
-    aws.cloudtrail.event_type,
-    aws.cloudtrail.user_identity.type,
-    Esql.aws_cloudtrail_additional_eventdata_device_version,
-    Esql.aws_cloudtrail_additional_eventdata_auth_mfa_used
-'''
-
-
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1078"
-name = "Valid Accounts"
-reference = "https://attack.mitre.org/techniques/T1078/"
-[[rule.threat.technique.subtechnique]]
-id = "T1078.004"
-name = "Cloud Accounts"
-reference = "https://attack.mitre.org/techniques/T1078/004/"
-
-
-
-[rule.threat.tactic]
-id = "TA0001"
-name = "Initial Access"
-reference = "https://attack.mitre.org/tactics/TA0001/"
-
diff --git a/rules_building_block/initial_access_aws_signin_token_created.toml b/rules_building_block/initial_access_aws_signin_token_created.toml
new file mode 100644
index 000000000..2b8d3f7be
--- /dev/null
+++ b/rules_building_block/initial_access_aws_signin_token_created.toml
@@ -0,0 +1,87 @@
+[metadata]
+bypass_bbr_timing = true
+creation_date = "2025/10/09"
+integration = ["aws"]
+maturity = "production"
+updated_date = "2025/10/09"
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Captures requests to the AWS federation endpoint (signin.amazonaws.com) for GetSigninToken. This API exchanges existing
+temporary AWS credentials (e.g., from STS GetFederationToken or AssumeRole) for a short-lived sign-in token that is
+embedded in a one-click URL to the AWS Management Console. It is commonly used by custom federation tools and automation
+to pivot from programmatic access to a browser session. This is a building block rule meant to be used for correlation
+with other rules to detect suspicious activity.
+"""
+false_positives = [
+    """
+    Legitimate federation workflows, admin portals, SSO helpers, CI/CD jobs, or internal scripts that create one-click
+    console links, commonly invoke GetSigninToken and may generate frequent benign events.
+    """,
+]
+from = "now-6m"
+index = ["filebeat-*", "logs-aws.cloudtrail-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "AWS Sign-In Token Created"
+references = ["https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/"]
+risk_score = 21
+rule_id = "f754e348-f36f-4510-8087-d7f29874cc12"
+severity = "low"
+tags = [
+    "Domain: Cloud",
+    "Data Source: AWS",
+    "Data Source: Amazon Web Services",
+    "Data Source: AWS Sign-In",
+    "Use Case: Identity and Access Audit",
+    "Tactic: Initial Access",
+    "Rule Type: BBR",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset: "aws.cloudtrail" and 
+    event.provider: "signin.amazonaws.com" and 
+    event.action : "GetSigninToken" and 
+    event.outcome: "success"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+[[rule.threat.technique.subtechnique]]
+id = "T1078.004"
+name = "Cloud Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/004/"
+
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user_agent.original",
+    "source.ip",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.session_context.session_issuer.arn",
+    "aws.cloudtrail.user_identity.session_context.session_issuer.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "event.action",
+    "event.outcome",
+    "cloud.account.id",
+    "cloud.region",
+]
+