Rules: AWS - Excessive OAuth Application Permissions Scope
Alert when an OAuth application has requested a high number of permissions to aspects of AWS.
Detail | Value |
---|---|
Type | Templated Match |
Category | Execution |
Apply Risk to Entities | device_hostname, device_ip, user_username, srcDevice_ip |
Signal Name | AWS - Excessive OAuth Application Permissions Scope - "{{application}}" |
Summary Expression | {{action}} performed by user: {{user_username}} on {{application}} |
Score/Severity | Static: 4 |
Enabled by Default | True |
Prototype | False |
Tags | _mitreAttackTactic:TA0002, _mitreAttackTactic:TA0005, _mitreAttackTactic:TA0008, _mitreAttackTechnique:T1550, _mitreAttackTechnique:T1550.001 |
Origin | Field |
---|---|
Normalized Schema | application |
Normalized Schema | device_hostname |
Normalized Schema | device_ip |
Direct from Record | fields['requestParameters.readAttributes.10'] |
Direct from Record | fields['requestParameters.writeAttributes.10'] |
Normalized Schema | metadata_deviceEventId |
Normalized Schema | metadata_product |
Normalized Schema | metadata_vendor |
Normalized Schema | srcDevice_ip |
Normalized Schema | user_username |