verify whether the user identity should be using the sts `getcalleridentity` api operation. if known behavior is causing false positives, it can be exempted from the rule.

t1087
aws
elastic

Techniques

T1087

Sample rules

AWS STS GetCallerIdentity API Called for the First Time

source: elastic
technicques:
- T1087

Description

An adversary with access to a set of compromised credentials may attempt to verify that the credentials are valid and determine what account they are using. This rule looks for the first time an identity has called the STS GetCallerIdentity API operation in the last 15 days, which may be an indicator of compromised credentials. A legitimate user would not need to call this operation as they should know the account they are using.

Detection logic

event.dataset: "aws.cloudtrail"
    and event.provider: "sts.amazonaws.com"
    and event.action: "GetCallerIdentity"
    and event.outcome: "success"
    and not aws.cloudtrail.user_identity.type: "AssumedRole"