new ec2 workloads, nat or egress changes, isp renumbering, or geoip database updates can change `source.as.organization.name` for the same logical path. roles that legitimately call sts from many networks (for example, developer-exported temporary credentials) may also produce alerts. tune using role arn, account, or user agent where appropriate.

t1087
aws
elastic

Techniques

T1087

Sample rules

AWS EC2 Role GetCallerIdentity from New Source AS Organization

source: elastic
technicques:
- T1087

Description

Identifies the first time an EC2 instance role session calls AWS STS GetCallerIdentity from a given source autonomous system (AS) organization name within the lookback window. Adversaries who steal instance role credentials often verify them with GetCallerIdentity from infrastructure outside your normal egress paths. Baseline learning on the pairing of identity and source network reduces noise from stable NAT or AWS-classified egress compared to alerting on every call from a non-Amazon ASN.

Detection logic

event.dataset: "aws.cloudtrail"
    and event.provider: "sts.amazonaws.com"
    and event.action: "GetCallerIdentity"
    and event.outcome: "success"
    and aws.cloudtrail.user_identity.type: "AssumedRole"
    and user.id: *\:i-*
    and source.as.organization.name:(* and not (AMAZON* or Amazon* or Google* or "MongoDB, Inc."))