Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix - IAM User takeover Correlation Rule correlating on IP instead of user #1362

Merged
merged 4 commits into from
Sep 30, 2024
Merged

fix - IAM User takeover Correlation Rule correlating on IP instead of user #1362

merged 4 commits into from
Sep 30, 2024

Conversation

akozlovets098
Copy link
Contributor

@akozlovets098 akozlovets098 commented Sep 25, 2024
edited by arielkr256
Loading

Background

Fixes #1359

Changes

  • Made IAM User takeover Correlation Rule correlate on user instead of IP

@akozlovets098 akozlovets098 requested a review from a team as a code owner September 25, 2024 08:19
arielkr256
arielkr256 requested changes Sep 25, 2024
View reviewed changes
Copy link
Contributor

@arielkr256 arielkr256 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this need to correlate on both IP and target user name. We want to detect when [email protected] resets Bob's password, then Bob logs in from 11.22.33.44.

Username Bob is in the requestParameters.userName field in the PasswordReset rule, and would be the last part of userIdentity.arn in the Login rule.

@arielkr256 arielkr256 added the tuning detection tuning label Sep 25, 2024
@akozlovets098
Copy link
Contributor Author

I think this need to correlate on both IP and target user name.

@arielkr256 We cannot correlate on both. We can add some context field to both rules that will contain both IP and user name and try correlating on this list, but I'm not sure that this is a good idea (it is not an explicit approach) and that it will work. What do you think about that?

@arielkr256 arielkr256 added the correlation_rules Correlation rules establish correlations across logs, identify anomalies, and model complex attack b label Sep 26, 2024
arielkr256
arielkr256 approved these changes Sep 30, 2024
View reviewed changes
Copy link
Contributor

@arielkr256 arielkr256 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@arielkr256 arielkr256 enabled auto-merge (squash) September 30, 2024 15:42
@arielkr256 arielkr256 merged commit 91662f6 into release Sep 30, 2024
8 checks passed
@arielkr256 arielkr256 deleted the IAM-User-takeover-Correlation-Rule-correlating-on-IP-instead-of-user branch September 30, 2024 15:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arielkr256 arielkr256 arielkr256 approved these changes

Assignees
No one assigned
Labels
correlation_rules Correlation rules establish correlations across logs, identify anomalies, and model complex attack b tuning detection tuning
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

IAM User takeover Correlation Rule correlating on IP instead of user
2 participants
@akozlovets098 @arielkr256