Skip to main content
Product
Security

From Concept to Reality: Using AI-Guided Investigation to Build a JIT Privilege Correlation Rule

Written by: 
Tom Los
Published on: 
Jun 23, 2026
On This Page
TOC Element
Share:

How Astro (Abstract's embedded AI) helped us go from a vague idea to a near-complete, production-ready detection without writing a single query from scratch.

The Idea

Every security team running a Just-in-Time (JIT) privileged access solution faces the same challenge: you know who got access and when, but can you automatically correlate that assignment to the specific actions they took during that session? Can you build a detection that connects those two dots in real time?

That's exactly the question we set out to answer. The concept was straightforward on the surface:

  1. Detect when a JIT solution assigns a permission set to a user
  2. Extract the target user's email from that assignment event
  3. Identify all downstream actions performed under a session bearing that user's identity

Simple in theory. In practice, multi-stage correlation rules like this require deep knowledge of your log schema, field-level data, and how your tooling actually behaves at runtime. Historically, that means hours of manual log digging before you ever open the rule builder.

We decided to let Astro do the heavy lifting instead.

What Is Astro AI?

Astro AI is the AI Security Engineer embedded natively inside the Abstract Security platform. It isn't a chatbot that gives you generic answers — it has direct access to your environment. It can search your actual events, inspect real log fields, enrich indicators, manage insights, and guide you through building detections using the data that actually exists in your environment.

Think of it less like a search engine and more like a senior security engineer sitting next to you who already has eyes on your data.

Starting the Conversation

We opened Astro and described the use case in plain language, meaning no query syntax, field names, or assumptions. Just the concept:

"Our JIT solution calls assign permission set. Extract the user email the permission set was assigned to from that request event. Identify logs of actions performed by that permission set with a session name containing the user's email."

Astro immediately recognized this as a multi-stage correlation problem and laid out two implementation paths. 1. an Analytics correlation rule for real-time detection, and 2. a Pipeline enrichment model for persistent tagging at ingest. It explained the tradeoffs of each, recommended starting with the Analytics rule to validate the logic, and outlined the exact blocks we'd need to build.

We hadn't written a single thing yet. We already had an architecture.

Finding the Right Logs Without Knowing Where to Look

Here's where things got genuinely impressive.

Rather than jumping straight into rule configuration, Astro asked the right question first:

"Would you like me to help find a sample JIT assignment event in your logs to confirm the field names before you start building?"

Yes. Absolutely yes! We said go ahead.

Astro searched our actual event data and surfaced the real trigger event which was not AssignPermissionSet as we had assumed, but CreateAccountAssignment via sso.amazonaws.com. It identified the exact fields to use for Block 1 of the rule and immediately flagged something important: the target user in that event wasn't represented by an email address. It was an SSO User GUID.

That's the kind of discovery that would have broken a manually-built rule on day one.

Going Deeper: The Session Name Question

With Block 1 scoped, Astro turned its attention to Block 2: the downstream action logs. The original design assumed that our JIT tool (TEAM) would stamp the user's email into the roleSessionName field when they assume their JIT-granted role, which is a common pattern in AWS CloudTrail environments.

Astro searched our session logs proactively to validate this. What it found gave us valuable signal: over the last seven days, the session name fields in our environment were populated entirely by automated workloads (Kubernetes service accounts, AWS service roles, named IAM roles) with no human-generated JIT sessions visible in that window.

This didn't mean the design was wrong. It meant we hadn't had a human actively use a JIT-assigned role in that timeframe, or that the session name format used by TEAM needed to be confirmed. Astro laid out exactly what we needed to verify:

  • Does TEAM set roleSessionName to the user's email, their SSO GUID, or something else?
  • The fastest way to confirm: trigger a live test assignment and observe the resulting CloudTrail event.

Where We Are Now

We aren't done — but we are remarkably far along for the amount of time invested.

Here's the honest status:

Block 1 is fully scoped - trigger event, source, outcome, and field conditions all confirmed from real data ✅ Architecture is decided - Analytics correlation rule, potentially paired with a pipeline enrichment model if GUID-to-email resolution is needed ✅ Known unknowns are identified - one outstanding question: what does TEAM set as roleSessionName for human JIT sessions? ⏳ One test away from completing Block 2 - trigger a live JIT assignment, observe the session event, and the rule is ready to build out fully

The experience throughout has been seamless. No context switching. No separate SIEM query window. No manually grepping through CloudTrail exports. Every discovery happened inside a single conversation, guided by an AI that understood both the security concept and the data.

Why This Matters

Security teams are constantly asked to build detections for complex, multi-stage behaviors — lateral movement, privilege abuse, data exfiltration chains. The bottleneck has never been the rule builder. It's always been the data archaeology that has to happen before you can build anything meaningful.

Astro collapses that gap. You bring the concept. It helps you find the data, understand the schema, identify the gaps, and guide you toward a detection that will actually work in your environment — not just in theory.

This JIT correlation rule is a perfect example. What started as a vague idea became a near-complete, production-ready detection in a single session. And we still have more to do — but the path forward is clear, the unknowns are known, and the work left is minimal.

That's what good tooling feels like.

Abstract Security's Astro is available natively within the platform. No additional setup required; all you have to do is just start the conversation.

GET
ABSTRACTED

We would love you to be a part of the journey, lets grab a coffee, have a chat, and set up a demo!

Your friends at Abstract AKA one of the most fun teams in cyber ;)

White light beam passing through a black circle with a pink abstract symbol, dispersing into multicolored beams on the right.
Thank you!
Your submission has been received.
Oops! Something went wrong while submitting the form.

Heading

Follow Us

Subscribe to Abstract on LinkedIn
Subscribe on Linkedin
© {{year}} Copyright. All Rights Reserved.
Manage Cookies
Privacy Policy
Terms & Conditions