LoFP LoFP / assumerole from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.

Techniques

Sample rules

AWS STS AssumeRole Misuse

Description

Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.

Detection logic

condition: selection
selection:
  userIdentity.sessionContext.sessionIssuer.type: Role
  userIdentity.type: AssumedRole