[New Rule] Adding Coverage for AWS Temporary User Session Token Used from Multiple Addresses

[terrancedejesus]

Pull Request

Issue link(s):

• https://github.com/elastic/ia-trade-team/issues/585

Summary - What I changed

Adds detection coverage for AWS STS Temporary IAM Session Token Used from Multiple Addresses. Identified via ByBit/SafeWallet attack in February 2025.

This rule detects when a single IAM user's temporary session token is used from multiple IP addresses within a short time frame. This behavior may indicate that an adversary has stolen temporary credentials and is using them from a different location.

Additional Information:

• Relies on AWS CloudTrail logs
• Requires user identity type to be IAM user or assumed role. If too noisy, we may reduce to IAM user only, which would be a high fidelity signal
• Ignores IaC tools and automation via user agent fingerprint. Please note that there is no other option for ignoring these.
• Focuses solely on temporary session tokens by filtering access key IDs with "ASIA*"
• Creates a timestamp bucket for 30 minute increments
• Keeps source IPs identified via VALUES(), then counts distinct IPs reported for a specific principal ARN
• Aggregation looks for address count >= 2

How To Test

Please review related meta for testing and emulation behavior.

Checklist

• [ ] Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
• [ ] Added the meta:rapid-merge label if planning to merge within 24 hours
• [ ] Secret and sensitive material has been managed correctly
• [ ] Automated testing was updated or added to match the most common scenarios
• [ ] Documentation and comments were added for features that require explanation

Contributor checklist

• Have you signed the contributor license agreement?
• Have you followed the contributor guidelines?

[github-actions[bot]]

Rule: New - Guidelines

These guidelines serve as a reminder set of considerations when proposing a new rule.

Documentation and Context

• [ ] Detailed description of the rule.
• [ ] List any new fields required in ECS/data sources.
• [ ] Link related issues or PRs.
• [ ] Include references.

Rule Metadata Checks

• [ ] creation_date matches the date of creation PR initially merged.
• [ ] min_stack_version should support the widest stack versions.
• [ ] name and description should be descriptive and not include typos.
• [ ] query should be inclusive, not overly exclusive, considering performance for diverse environments. Non ecs fields should be added to non-ecs-schema.json if not available in an integration.
• [ ] min_stack_comments and min_stack_version should be included if the rule is only compatible starting from a specific stack version.
• [ ] index pattern should be neither too specific nor too vague, ensuring it accurately matches the relevant data stream (e.g., use logs-endpoint.process-* for process data).
• [ ] integration should align with the index. If the integration is newly introduced, ensure the manifest, schemas, and new_rule.yaml template are updated.
• [ ] setup should include the necessary steps to configure the integration.
• [ ] note should include any additional information (e.g. Triage and analysis investigation guides, timeline templates).
• [ ] tags should be relevant to the threat and align/added to the EXPECTED_RULE_TAGS in the definitions.py file.
• [ ] threat, techniques, and subtechniques should map to ATT&CK always if possible.

New BBR Rules

• [ ] building_block_type should be included if the rule is a building block and the rule should be located in the rules_building_block folder.
• [ ] bypass_bbr_timing should be included if adding custom lookback timing to the rule.

Testing and Validation

• [ ] Provide evidence of testing and detecting the expected threat.
• [ ] Check for existence of coverage to prevent duplication.