Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix - IAM User takeover Correlation Rule correlating on IP instead of user #1362

Merged
merged 4 commits into from
Sep 30, 2024
Merged

fix - IAM User takeover Correlation Rule correlating on IP instead of user #1362

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
71087df
fix - IAM User takeover Correlation Rule correlating on IP instead of…
akozlovets098 Sep 25, 2024
2b04681
Merge branch 'release' into IAM-User-takeover-Correlation-Rule-correl…
arielkr256 Sep 25, 2024
a598189
fix - IAM User takeover Correlation Rule correlating on IP and user
akozlovets098 Sep 30, 2024
0858206
Merge branch 'release' into IAM-User-takeover-Correlation-Rule-correl…
arielkr256 Sep 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 32 additions & 13 deletions correlation_rules/aws_user_takeover_via_password_reset.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ Detection:
From: Password Reset
To: Login
Match:
- On: sourceIPAddress
- On: p_alert_context.ip_and_username
Schedule:
RateMinutes: 60
TimeoutMinutes: 10
Expand All @@ -28,34 +28,53 @@ Tests:
RuleOutputs:
- ID: Password Reset
Matches:
sourceIPAddress:
'1.1.1.1': [0]
p_alert_context.ip_and_username:
"1.1.1.1alice":
- "2024-06-01T10:01:01Z"
- ID: Login
Matches:
sourceIPAddress:
'1.1.1.1': [5]
p_alert_context.ip_and_username:
"1.1.1.1alice":
- "2024-06-01T10:02:01Z"
- Name: Password Reset, Then Login From different user
ExpectedResult: false
RuleOutputs:
- ID: Password Reset
Matches:
p_alert_context.ip_and_username:
"1.1.1.1alice":
- "2024-06-01T10:01:01Z"
- ID: Login
Matches:
p_alert_context.ip_and_username:
"1.1.1.1bob":
- "2024-06-01T10:02:01Z"
- Name: Password Reset, Then Login From Different IPs
ExpectedResult: false
RuleOutputs:
- ID: Password Reset
Matches:
sourceIPAddress:
'1.1.1.1': [0]
p_alert_context.ip_and_username:
"1.1.1.1alice":
- "2024-06-01T10:01:01Z"
- ID: Login
Matches:
sourceIPAddress:
'2.2.2.2': [5]
p_alert_context.ip_and_username:
"2.2.2.2alice":
- "2024-06-01T10:02:01Z"
- Name: Password Reset Without Login
ExpectedResult: false
RuleOutputs:
- ID: Password Reset
Matches:
sourceIPAddress:
'1.1.1.1': [0]
p_alert_context.ip_and_username:
"1.1.1.1alice":
- "2024-06-01T10:01:01Z"
- Name: Login Without Password Reset
ExpectedResult: false
RuleOutputs:
- ID: Login
Matches:
sourceIPAddress:
'1.1.1.1': [5]
p_alert_context.ip_and_username:
"1.1.1.1alice":
- "2024-06-01T10:01:01Z"
6 changes: 5 additions & 1 deletion rules/aws_cloudtrail_rules/aws_cloudtrail_loginprofilecreatedormodified.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,4 +30,8 @@ def title(event):


def alert_context(event):
return aws_rule_context(event)
context = aws_rule_context(event)
context["ip_and_username"] = event.get(
"sourceIPAddress", "<MISSING_SOURCE_IP>"
) + event.deep_get("requestParameters", "userName", default="<MISSING_USER_NAME>")
return context
8 changes: 8 additions & 0 deletions rules/aws_cloudtrail_rules/aws_console_login.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,10 @@
def rule(event):
return event.get("eventName") == "ConsoleLogin"


def alert_context(event):
context = {}
context["ip_and_username"] = event.get(
"sourceIPAddress", "<MISSING_SOURCE_IP>"
) + event.deep_get("userIdentity", "userName", default="<MISSING_USER_NAME>")
arielkr256 marked this conversation as resolved.
Show resolved Hide resolved
return context
Loading