fix - IAM User takeover Correlation Rule correlating on IP instead of…

… user (#1362) Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
panther-labs · Sep 30, 2024 · 91662f6 · 91662f6
1 parent c435791
commit 91662f6
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 14 deletions.
diff --git a/correlation_rules/aws_user_takeover_via_password_reset.yml b/correlation_rules/aws_user_takeover_via_password_reset.yml
@@ -17,7 +17,7 @@ Detection:
           From: Password Reset
           To: Login
           Match:
-            - On: sourceIPAddress
+            - On: p_alert_context.ip_and_username
       Schedule:
         RateMinutes: 60
         TimeoutMinutes: 10
@@ -28,34 +28,53 @@ Tests:
       RuleOutputs:
         - ID: Password Reset
           Matches:
-            sourceIPAddress:
-              '1.1.1.1': [0]
+            p_alert_context.ip_and_username:
+              "1.1.1.1alice":
+                - "2024-06-01T10:01:01Z"
         - ID: Login
           Matches:
-            sourceIPAddress:
-              '1.1.1.1': [5]
+            p_alert_context.ip_and_username:
+              "1.1.1.1alice":
+                - "2024-06-01T10:02:01Z"
+    - Name: Password Reset, Then Login From different user
+      ExpectedResult: false
+      RuleOutputs:
+        - ID: Password Reset
+          Matches:
+            p_alert_context.ip_and_username:
+              "1.1.1.1alice":
+                - "2024-06-01T10:01:01Z"
+        - ID: Login
+          Matches:
+            p_alert_context.ip_and_username:
+              "1.1.1.1bob":
+                - "2024-06-01T10:02:01Z"
     - Name: Password Reset, Then Login From Different IPs
       ExpectedResult: false
       RuleOutputs:
         - ID: Password Reset
           Matches:
-            sourceIPAddress:
-              '1.1.1.1': [0]
+            p_alert_context.ip_and_username:
+              "1.1.1.1alice":
+                - "2024-06-01T10:01:01Z"
         - ID: Login
           Matches:
-            sourceIPAddress:
-              '2.2.2.2': [5]
+            p_alert_context.ip_and_username:
+              "2.2.2.2alice":
+                - "2024-06-01T10:02:01Z"
     - Name: Password Reset Without Login
       ExpectedResult: false
       RuleOutputs:
         - ID: Password Reset
           Matches:
-            sourceIPAddress:
-              '1.1.1.1': [0]
+            p_alert_context.ip_and_username:
+              "1.1.1.1alice":
+                - "2024-06-01T10:01:01Z"
     - Name: Login Without Password Reset
       ExpectedResult: false
       RuleOutputs:
         - ID: Login
           Matches:
-            sourceIPAddress:
-              '1.1.1.1': [5]
+            p_alert_context.ip_and_username:
+              "1.1.1.1alice":
+                - "2024-06-01T10:01:01Z"
diff --git a/rules/aws_cloudtrail_rules/aws_cloudtrail_loginprofilecreatedormodified.py b/rules/aws_cloudtrail_rules/aws_cloudtrail_loginprofilecreatedormodified.py
@@ -30,4 +30,8 @@ def title(event):
 
 
 def alert_context(event):
-    return aws_rule_context(event)
+    context = aws_rule_context(event)
+    context["ip_and_username"] = event.get(
+        "sourceIPAddress", "<MISSING_SOURCE_IP>"
+    ) + event.deep_get("requestParameters", "userName", default="<MISSING_USER_NAME>")
+    return context
diff --git a/rules/aws_cloudtrail_rules/aws_console_login.py b/rules/aws_cloudtrail_rules/aws_console_login.py
@@ -1,2 +1,10 @@
 def rule(event):
     return event.get("eventName") == "ConsoleLogin"
+
+
+def alert_context(event):
+    context = {}
+    context["ip_and_username"] = event.get(
+        "sourceIPAddress", "<MISSING_SOURCE_IP>"
+    ) + event.deep_get("userIdentity", "userName", default="<MISSING_USER_NAME>")
+    return context