Navigation :

AWS Detect Sts Assume Role Abuse

Description

This search provides detection of suspicious use of sts:AssumeRole. These tokens can be created on the go and used by attackers to move laterally and escalate privileges.

Help
AWS Detect Sts Assume Role Abuse Help You must install splunk AWS add on and Splunk App for AWS. This search works with cloudtrail logs

Help

AWS Detect Sts Assume Role Abuse Help

You must install splunk AWS add on and Splunk App for AWS. This search works with cloudtrail logs

Search
`cloudtrail` user_type=AssumedRole userIdentity.sessionContext.sessionIssuer.type=Role \| table sourceIPAddress userIdentity.arn user_agent user_access_key status action requestParameters.roleName responseElements.role.roleName responseElements.role.createDate \| `aws_detect_sts_assume_role_abuse_filter` Open in Search

Search

`cloudtrail` user_type=AssumedRole userIdentity.sessionContext.sessionIssuer.type=Role | table sourceIPAddress userIdentity.arn user_agent user_access_key status action requestParameters.roleName responseElements.role.roleName responseElements.role.createDate | `aws_detect_sts_assume_role_abuse_filter`

Open in Search