Techniques
Sample rules
AWS IAM API Calls via Temporary Session Tokens
- source: elastic
- technicques:
- T1098
Description
Detects use of sensitive AWS IAM API operations using temporary credentials (session tokens starting with ‘ASIA’). This may indicate credential theft or abuse of elevated access via a stolen session. It is not common for legitimate users to perform sensitive IAM operations with temporary session tokens.
Detection logic
event.dataset: aws.cloudtrail
and event.provider: ("iam.amazonaws.com")
and event.outcome: "success"
and aws.cloudtrail.user_identity.type: "IAMUser"
and aws.cloudtrail.user_identity.access_key_id: ASIA*