Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update aws_unauthorized_api_call dedup function #932

Merged
merged 4 commits into from
Nov 7, 2023
Merged

Update aws_unauthorized_api_call dedup function #932

merged 4 commits into from
Nov 7, 2023

Conversation

egibs
Copy link
Contributor

@egibs egibs commented Nov 7, 2023
edited
Loading

Background

Customers were running into empty dedup values because the dedup function for this rule is looking for an arn key in the userIdentity object which does not exist (based on the test logs, this used to be a valid key and was likely removed).

This PR updates the dedup function to use principalId instead.

Changes

  • Uses the principalId key rather than the nonexistent arn key

Testing

  • Tests pass as expected:
AWS.CloudTrail.UnauthorizedAPICall
  	[PASS] Unauthorized API Call from Within AWS (IP)
  		[PASS] [rule] true
  		[PASS] [title] Access denied to IAMUser [1111]
  		[PASS] [dedup] 1111
  		[PASS] [alertContext] {"eventName": "CreateServiceLinkedRole", "eventSource": "iam.amazonaws.com", "awsRegion": "us-east-1", "recipientAccountId": "123456789012", "sourceIPAddress": "3.10.107.144", "userAgent": "sqs.amazonaws.com", "userIdentity": {"type": "IAMUser", "principalId": "1111", "arn": "arn:aws:iam::123456789012:user/tester", "accountId": "123456789012", "accessKeyId": "1", "userName": "tester", "sessionContext": {"attributes": {"mfaAuthenticated": "true", "creationDate": "2019-01-01T00:00:00Z"}}, "invokedBy": "signin.amazonaws.com"}}
  	[PASS] Unauthorized API Call from Within AWS (FQDN)
  		[PASS] [rule] false
  	[PASS] Authorized API Call
  		[PASS] [rule] false

@egibs egibs marked this pull request as ready for review November 7, 2023 21:24
@egibs egibs requested a review from a team November 7, 2023 21:24
arielkr256
arielkr256 approved these changes Nov 7, 2023
View reviewed changes
Copy link
Contributor

@arielkr256 arielkr256 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, no need to decode ARN if it's just for dedup

@egibs egibs merged commit 00f3fbf into main Nov 7, 2023
1 check passed
@egibs egibs deleted the egibs-update-aws-cloudtrail-unauthorized-api-call branch November 7, 2023 21:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arielkr256 arielkr256 arielkr256 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@egibs @arielkr256