AWS EC2 Role GetCallerIdentity from New Source AS Organization

  1[metadata]
  2creation_date = "2026/04/03"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/04/03"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the first time an EC2 instance role session calls AWS STS GetCallerIdentity from a given source autonomous
 11system (AS) organization name within the lookback window. Adversaries who steal instance role credentials often verify
 12them with GetCallerIdentity from infrastructure outside your normal egress paths. Baseline learning on the pairing of
 13identity and source network reduces noise from stable NAT or AWS-classified egress compared to alerting on every call
 14from a non-Amazon ASN.
 15"""
 16false_positives = [
 17    """
 18    New EC2 workloads, NAT or egress changes, ISP renumbering, or GeoIP database updates can change
 19    `source.as.organization.name` for the same logical path. Roles that legitimately call STS from many networks (for
 20    example, developer-exported temporary credentials) may also produce alerts. Tune using role ARN, account, or user
 21    agent where appropriate.
 22    """,
 23]
 24from = "now-6m"
 25index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 26language = "kuery"
 27license = "Elastic License v2"
 28name = "AWS EC2 Role GetCallerIdentity from New Source AS Organization"
 29note = """## Triage and analysis
 30
 31### Investigating AWS EC2 Role GetCallerIdentity from New Source AS Organization
 32
 33The `GetCallerIdentity` API returns details about the IAM principal owning the credentials. It requires no IAM permissions and is commonly used to validate stolen or exported credentials.
 34
 35EC2 instance role sessions appear in CloudTrail as `AssumedRole` with a session identifier matching an instance id (for example, `arn:aws:sts::account:assumed-role/role-name/i-0123456789abcdef0`). This complements the rule **AWS STS GetCallerIdentity API Called for the First Time**, which excludes `AssumedRole`. Here, a **New Terms** condition applies to the combination of `aws.cloudtrail.user_identity.arn` and `source.as.organization.name` over a 10-day history window. The first observation of that pair triggers an alert, which suppresses repeated noise when the same role keeps using the same stable egress AS organization (for example, the same NAT or provider label).
 36
 37#### Possible investigation steps
 38
 39- Confirm the assumed-role ARN and instance id; map the instance to an account, VPC, and expected egress (NAT gateway, IGW, proxy).
 40- Compare `source.as.organization.name` and `source.ip` to historical CloudTrail for the same role session or role.
 41- Review `user_agent.original` for tooling inconsistent with the instance (for example, unexpected OS or CLI version).
 42- Correlate with other alerts from the same `aws.cloudtrail.user_identity.access_key_id` or instance over the prior 48 hours.
 43
 44### False positive analysis
 45
 46- New instances or roles calling GetCallerIdentity once per new AS label are expected to alert once per new term until the baseline ages in.
 47- Missing or changing GeoIP enrichment can alter `source.as.organization.name`; ensure the field is populated consistently.
 48
 49### Response and remediation
 50
 51- If credentials are suspected stolen, revoke the session by stopping the instance, removing the role from the instance profile, or tightening trust and permissions; rotate any long-lived secrets the instance could access.
 52- Scope follow-on API activity from the same access key id and investigate the initial access vector (SSRF, IMDS abuse, malware).
 53
 54### Additional information
 55
 56- [GetCallerIdentity](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html)
 57"""
 58references = [
 59    "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html",
 60    "https://detectioninthe.cloud/ttps/discovery/sts_get_caller_identity",
 61]
 62risk_score = 47
 63rule_id = "b2f8c4e1-6a73-4f1e-9c2d-8e5b0a1d3f7c"
 64severity = "medium"
 65tags = [
 66    "Domain: Cloud",
 67    "Domain: Identity",
 68    "Data Source: AWS",
 69    "Data Source: Amazon Web Services",
 70    "Data Source: AWS STS",
 71    "Use Case: Identity and Access Audit",
 72    "Use Case: Threat Detection",
 73    "Tactic: Discovery",
 74    "Resources: Investigation Guide",
 75]
 76timestamp_override = "event.ingested"
 77type = "new_terms"
 78
 79query = '''
 80event.dataset: "aws.cloudtrail"
 81    and event.provider: "sts.amazonaws.com"
 82    and event.action: "GetCallerIdentity"
 83    and event.outcome: "success"
 84    and aws.cloudtrail.user_identity.type: "AssumedRole"
 85    and user.id: *\:i-*
 86    and source.as.organization.name:(* and not (AMAZON* or Amazon* or Google* or "MongoDB, Inc."))
 87'''
 88
 89[rule.investigation_fields]
 90field_names = [
 91    "@timestamp",
 92    "user.name",
 93    "user_agent.original",
 94    "source.ip",
 95    "source.as.organization.name",
 96    "aws.cloudtrail.user_identity.arn",
 97    "aws.cloudtrail.user_identity.type",
 98    "aws.cloudtrail.user_identity.access_key_id",
 99    "event.action",
100    "event.outcome",
101    "cloud.account.id",
102    "cloud.region",
103]
104
105[[rule.threat]]
106framework = "MITRE ATT&CK"
107
108[[rule.threat.technique]]
109id = "T1087"
110name = "Account Discovery"
111reference = "https://attack.mitre.org/techniques/T1087/"
112
113[[rule.threat.technique.subtechnique]]
114id = "T1087.004"
115name = "Cloud Account"
116reference = "https://attack.mitre.org/techniques/T1087/004/"
117
118[rule.threat.tactic]
119id = "TA0007"
120name = "Discovery"
121reference = "https://attack.mitre.org/tactics/TA0007/"
122
123[rule.new_terms]
124field = "new_terms_fields"
125value = ["source.as.organization.name", "user.id"]
126[[rule.new_terms.history_window_start]]
127field = "history_window_start"
128value = "now-10d"