Skip to content

Latest commit

 

History

History
37 lines (30 loc) · 1.29 KB

MATCH-S00307.md

File metadata and controls

37 lines (30 loc) · 1.29 KB
Raw

Rules: AWS - Excessive OAuth Application Permissions Scope

Description

Alert when an OAuth application has requested a high number of permissions to aspects of AWS.

Additional Details

Detail Value
Type Templated Match
Category Execution
Apply Risk to Entities device_hostname, device_ip, user_username, srcDevice_ip
Signal Name AWS - Excessive OAuth Application Permissions Scope - "{{application}}"
Summary Expression {{action}} performed by user: {{user_username}} on {{application}}
Score/Severity Static: 4
Enabled by Default True
Prototype False
Tags _mitreAttackTactic:TA0002, _mitreAttackTactic:TA0005, _mitreAttackTactic:TA0008, _mitreAttackTechnique:T1550, _mitreAttackTechnique:T1550.001

Vendors and Products

Fields Used

Origin Field
Normalized Schema application
Normalized Schema device_hostname
Normalized Schema device_ip
Direct from Record fields['requestParameters.readAttributes.10']
Direct from Record fields['requestParameters.writeAttributes.10']
Normalized Schema metadata_deviceEventId
Normalized Schema metadata_product
Normalized Schema metadata_vendor
Normalized Schema srcDevice_ip
Normalized Schema user_username