Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CreateFunctionUrlConfig #5016

Merged
merged 5 commits into from
Dec 19, 2024
Merged

CreateFunctionUrlConfig #5016

merged 5 commits into from
Dec 19, 2024

Conversation

saakovv
Copy link
Contributor

@saakovv saakovv commented Sep 20, 2024
edited
Loading

Summary of the Pull Request

This rule now tracks the creation of the Lambda function URL configuration, which can be used by attackers to gain unauthorized access to Lambda functions and their privileges.

Changelog

Example Log Event

{ [-]
   awsCloud_account_ID: XXX
   awsRegion: eu-central
   cwlGroupname: aws-controltower/CloudTrailLogs
   eventCategory: Management
   eventID: 6e683fe2
   eventName: CreateFunctionUrlConfig
   eventSource: lambda.amazonaws.com
   eventTime: 2024-09-12T08:50:11Z
   eventType: AwsApiCall
   eventVersion: 1.08
   managementEvent: true
   readOnly: false
   recipientAccountId: XXX
   requestID: db215d0a
   requestParameters: { [-]
     authType: NONE
     cors: { [-]
     }
     functionName: XXX
     invokeMode: BUFFERED
   }
   responseElements: { [-]
     authType: NONE
     creationTime: 2024-09-12T08:50:11.556353Z
     functionArn: arn:aws:lambda:eu-central-XXX:function:XXX
     functionUrl: https://XXX
     invokeMode: BUFFERED
   }
   sessionCredentialFromConsole: true
   sourceIPAddress: XXX
   tlsDetails: { [-]
     cipherSuite: TLS_AES_128_GCM_SHA256
     clientProvidedHostHeader: lambda.eu-central.amazonaws.com
     tlsVersion: TLSv1.3
   }
   userAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
   userIdentity: { [-]
     accessKeyId: XXX
     accountId: XXX
     arn: arn:aws:iam::XXX:user/XXX
     principalId: XXX
     sessionContext: { [-]
       attributes: { [-]
         creationDate: 2024-09-12T08:46:54Z
         mfaAuthenticated: false
       }
       sessionIssuer: { [-]
       }
       webIdFederationData: { [-]
       }
     }
     type: IAMUser
     userName: XXX
   }
}

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added the Rules label Sep 20, 2024
@saakovv
Update aws_lambda_function_url.yml
2bee17f 
fix
status: experimental
frack113
frack113 reviewed Nov 6, 2024
View reviewed changes
Copy link
Member

@frack113 frack113 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

rules/cloud/aws/cloudtrail/aws_lambda_function_url.yml Show resolved Hide resolved
@saakovv @frack113
Update rules/cloud/aws/cloudtrail/aws_lambda_function_url.yml
0c73a5b 
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
saakovv
saakovv commented Nov 6, 2024
View reviewed changes
Copy link
Contributor Author

@saakovv saakovv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added references

@frack113 frack113 added the 2nd Review Needed PR need a second approval label Dec 14, 2024
@saakovv
Copy link
Contributor Author

saakovv commented Dec 16, 2024

@frack113 Hi! Do you need more information from me?

@frack113
Copy link
Member

@frack113 Hi! Do you need more information from me?

No, thanks.
I have approve it.
I have put the labeks 2nd Review Needed for another menber take a look at.

@nasbench
Copy link
Member

@frack113 Hi! Do you need more information from me?

No, thanks.
I have approve it.
I have put the labeks 2nd Review Needed for another menber take a look at.

Aka me 😁
Would still need to check fp rate with some data I have and review. Hang in tight it's coming.

@nasbench nasbench merged commit aec72e1 into SigmaHQ:master Dec 19, 2024
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frack113 frack113 frack113 approved these changes

@nasbench nasbench nasbench approved these changes

Assignees
No one assigned
Labels
2nd Review Needed PR need a second approval Rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@saakovv @frack113 @nasbench