Elastic Security Detection Rules

AWS EC2 Role GetCallerIdentity from New Source AS Organization

Last updated a month ago on 2026-04-03
Created a month ago on 2026-04-03

About

Identifies the first time an EC2 instance role session calls AWS STS GetCallerIdentity from a given source autonomous system (AS) organization name within the lookback window. Adversaries who steal instance role credentials often verify them with GetCallerIdentity from infrastructure outside your normal egress paths. Baseline learning on the pairing of identity and source network reduces noise from stable NAT or AWS-classified egress compared to alerting on every call from a non-Amazon ASN.
Tags
Domain: CloudDomain: IdentityData Source: AWSData Source: Amazon Web ServicesData Source: AWS STSUse Case: Identity and Access AuditUse Case: Threat DetectionTactic: DiscoveryLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Discovery (TA0007)(external, opens in a new tab or window)

Account Discovery (T1087)(external, opens in a new tab or window)

False Positive Examples
New EC2 workloads, NAT or egress changes, ISP renumbering, or GeoIP database updates can change `source.as.organization.name` for the same logical path. Roles that legitimately call STS from many networks (for example, developer-exported temporary credentials) may also produce alerts. Tune using role ARN, account, or user agent where appropriate.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-aws.cloudtrail-*
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
event.dataset: "aws.cloudtrail"
    and event.provider: "sts.amazonaws.com"
    and event.action: "GetCallerIdentity"
    and event.outcome: "success"
    and aws.cloudtrail.user_identity.type: "AssumedRole"
    and user.id: *\:i-*
    and source.as.organization.name:(* and not (AMAZON* or Amazon* or Google* or "MongoDB, Inc."))

Install detection rules in Elastic Security

Detect AWS EC2 Role GetCallerIdentity from New Source AS Organization in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).