Skip to content

Commit

Permalink
[Rule Tunings] AWS Administrator Access Policy Attached Rules (elasti…
Browse files Browse the repository at this point in the history 
…c#3867)

* [Tuning] AWS Administrator Access Policy Attached Rules

* change lookback to prevent overlap

* changed from to now-6m
  • Loading branch information
@imays11
imays11 authored Jul 11, 2024
1 parent 80ac279 commit f0ab897
Show file tree
Hide file tree
Showing 3 changed files with 9 additions and 15 deletions.
8 changes: 3 additions & 5 deletions ...ratoraccess_policy_attached_to_group.toml → ...ratoraccess_policy_attached_to_group.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
creation_date = "2024/05/31"
integration = ["aws"]
maturity = "production"
updated_date = "2024/05/31"
min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully"
updated_date = "2024/07/05"
min_stack_comments = "ES|QL rule type in technical preview as of 8.13."
min_stack_version = "8.13.0"

[rule]
Expand All @@ -21,7 +21,7 @@ false_positives = [
to attach the `AdministratorAccess` policy to the user group.
""",
]
from = "now-10m"
from = "now-6m"
language = "esql"
license = "Elastic License v2"
name = "AWS IAM AdministratorAccess Policy Attached to Group"
Expand Down Expand Up @@ -104,8 +104,6 @@ from logs-aws.cloudtrail-*
| where event.provider == "iam.amazonaws.com" and event.action == "AttachGroupPolicy" and event.outcome == "success"
| dissect aws.cloudtrail.request_parameters "{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?groupName}=%{group.name}}"
| where policyName == "AdministratorAccess"
| keep @timestamp, aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.access_key_id, event.action, policyName, group.name, user_agent.original, source.address, source.geo.location
| sort aws.cloudtrail.user_identity.arn
'''


Expand Down
8 changes: 3 additions & 5 deletions ...tratoraccess_policy_attached_to_role.toml → ...tratoraccess_policy_attached_to_role.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
creation_date = "2024/05/31"
integration = ["aws"]
maturity = "production"
updated_date = "2024/05/31"
min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully"
updated_date = "2024/07/05"
min_stack_comments = "ES|QL rule type in technical preview as of 8.13."
min_stack_version = "8.13.0"

[rule]
Expand All @@ -20,7 +20,7 @@ false_positives = [
to attach the `AdministratorAccess` policy to the target role.
""",
]
from = "now-10m"
from = "now-6m"
language = "esql"
license = "Elastic License v2"
name = "AWS IAM AdministratorAccess Policy Attached to Role"
Expand Down Expand Up @@ -103,8 +103,6 @@ from logs-aws.cloudtrail-*
| where event.provider == "iam.amazonaws.com" and event.action == "AttachRolePolicy" and event.outcome == "success"
| dissect aws.cloudtrail.request_parameters "{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?roleName}=%{role.name}}"
| where policyName == "AdministratorAccess"
| keep @timestamp, aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.access_key_id, event.action, policyName, role.name, user_agent.original, source.address, source.geo.location
| sort aws.cloudtrail.user_identity.arn
'''


Expand Down
8 changes: 3 additions & 5 deletions ...tratoraccess_policy_attached_to_user.toml → ...tratoraccess_policy_attached_to_user.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
creation_date = "2024/05/30"
integration = ["aws"]
maturity = "production"
updated_date = "2024/05/30"
min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully"
updated_date = "2024/07/05"
min_stack_comments = "ES|QL rule type in technical preview as of 8.13."
min_stack_version = "8.13.0"

[rule]
Expand All @@ -20,7 +20,7 @@ false_positives = [
to attach the `AdministratorAccess` policy to the target user.
""",
]
from = "now-10m"
from = "now-6m"
language = "esql"
license = "Elastic License v2"
name = "AWS IAM AdministratorAccess Policy Attached to User"
Expand Down Expand Up @@ -103,8 +103,6 @@ from logs-aws.cloudtrail-*
| where event.provider == "iam.amazonaws.com" and event.action == "AttachUserPolicy" and event.outcome == "success"
| dissect aws.cloudtrail.request_parameters "{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?userName}=%{target.userName}}"
| where policyName == "AdministratorAccess"
| keep @timestamp, aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.access_key_id, event.action, policyName, target.userName, user_agent.original, source.address, source.geo.location
| sort aws.cloudtrail.user_identity.arn
'''


Expand Down

0 comments on commit f0ab897

Please sign in to comment.