LoFP
/
t1550.001
t1550.001
Title
Tags
assumerole from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1548
t1550
t1550.001
aws
sigma
assumerole may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
t1548
t1550
t1550.001
aws
sigma
automated processes that uses terraform may lead to false positives.
t1078
t1548
t1550
t1550.001
aws
sigma
getsignintoken events will occur when using aws sso portal to login and will generate false positives if you do not filter for the expected user agent(s), see filter. non-sso configured roles would be abnormal and should be investigated.
t1021
t1021.007
t1550
t1550.001
aws
sigma
saml provider being updated from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1078
t1548
t1550
t1550.001
aws
sigma