Skip to content

Commit

Permalink
queries and tests
Browse files Browse the repository at this point in the history
  • Loading branch information
@arielkr256
arielkr256 committed Dec 2, 2024
1 parent 3ea49aa commit 057c96b
Show file tree
Hide file tree
Showing 4 changed files with 10 additions and 5 deletions.
6 changes: 3 additions & 3 deletions queries/aws_queries/anomalous_role_assume_query.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,18 +4,18 @@ Enabled: false
Query: |
SELECT
requestParameters:roleArn as roleArn,
userIdentity:principalId as principalId,
userIdentity:credentialId as credentialId,
count(DISTINCT userAgent) as distinctUserAgents
FROM
panther_logs.public.aws_cloudtrail
WHERE
eventSource = 'sts.amazonaws.com'
and eventName = 'AssumeRole'
and p_occurs_since('1 days')
and userIdentity:principalId != 'null'
and userIdentity:credentialId != 'null'
and userAgent != 'AWS Internal'
and requestParameters:roleArn != 'null'
GROUP BY requestParameters:roleArn, userIdentity:principalId
GROUP BY requestParameters:roleArn, userIdentity:credentialId
HAVING count(DISTINCT userAgent) > 1
ORDER BY count(DISTINCT userAgent) DESC
QueryName: "RoleAssumes by Multiple Useragents"
Expand Down
2 changes: 1 addition & 1 deletion queries/aws_queries/aws_potentially_compromised_service_role_query.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ Enabled: false
Query: |
SELECT
requestParameters:roleArn AS role,
ARRAY_AGG(distinct userIdentity:principalId) AS users,
ARRAY_AGG(distinct userIdentity:credentialId) AS users,
ARRAY_AGG(distinct userIdentity:type) AS types
FROM
panther_logs.public.aws_cloudtrail
Expand Down
2 changes: 1 addition & 1 deletion rules/aws_cloudtrail_rules/aws_key_compromised.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ def rule(event):


def dedup(event):
return event.deep_get("additionalEventData", "UserName")
return event.deep_get("additionalEventData", "UserName", default="<NO_USERNAME>")


def title(event):
Expand Down
5 changes: 5 additions & 0 deletions rules/aws_cloudtrail_rules/aws_key_compromised.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,11 @@ Tests:
"arn": "arn:aws:iam::123456789012:user/compromised_user",
"accountId": "123456789012",
},
"additionalEventData":
{
"CredentialType": "PASSWORD",
"UserName": "anyuser"
},
"eventName": "PutUserPolicy",
"eventVersion": "1.05",
"userAgent": "aws-internal/3 aws-sdk-java/1.11.706 Linux/4.9.184-0.1.ac.235.83.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.242-b08 java/1.8.0_242 vendor/Oracle_Corporation",
Expand Down

0 comments on commit 057c96b

Please sign in to comment.