[New Hunt] Adding Hunting Query for AWS IAM Unusual AWS Access Key Usage for User

[terrancedejesus]

Pull Request

Issue link(s):

• https://github.com/elastic/ia-trade-team/issues/272

Summary - What I changed

Adds new hunting query for unusual and infrequent occurrences for AWS access key usage for IAM users and roles. This hunting query can be used to identify potentially compromised credentials or temporary credential abuse in AWS.

We encourage users to filter additionally on aws.cloudtrail.user_identity.arn to whitelist known IAM roles and users. Additionally, we encourage users to add filters for event.action if they would like to ignore specific events or event types.

How To Test

Checklist

• Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
• Added the meta:rapid-merge label if planning to merge within 24 hours
• Secret and sensitive material has been managed correctly
• Automated testing was updated or added to match the most common scenarios
• Documentation and comments were added for features that require explanation

Contributor checklist

• Have you signed the contributor license agreement?
• Have you followed the contributor guidelines?

[protectionsmachine]

Hunt: New - Guidelines

Welcome to the hunting folder within the detection-rules repository! This directory houses a curated collection of threat hunting queries designed to enhance security monitoring and threat detection capabilities using the Elastic Stack.

Documentation and Context

• Detailed description of the Hunt.
• Link related issues or PRs.
• Include references.
• Field Usage: Ensure standardized fields for compatibility across different data environments and sources.

Hunt Metadata Checks

• author: The name of the individual or organization authoring the rule.
• uuid: Unique UUID.
• name and description are descriptive and typo-free.
• language: The query language(s) used in the rule, such as KQL, EQL, ES|QL, OsQuery, or YARA.
• query is inclusive, not overly exclusive, considering performance for diverse environments.
• integration aligns with the index. Ensure updates if the integration is newly introduced.
• notes includes additional information regarding data collected from the hunting query.
• mitre matches appropriate technique and sub-technique IDs that hunting query collect's data for.
• references are valid URL links that include information relevenat to the hunt or threat.
• license

Testing and Validation

• Evidence of testing and valid query usage.
• Markdown Generated: Run python -m hunting generate-markdown with specific parameters to ensure a markdown version of the hunting TOML files is created.
• Index Refreshed: Run python -m hunting refresh-index to refresh indexes.
• Run Unit Tests: Run pytest tests/test_hunt_data.py to run unit tests.

[eric-forte-elastic]

🟢 Manual review, looks good to me! 👍