Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add requestParameters #1402

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

feat: add requestParameters #1402

wants to merge 1 commit into from

Conversation

pbnj-dragon
Copy link
Contributor

Closes #1401

Background

requestParameters contains critical information for incident responders that should be surfaced as part of the alert context.

Changes

  • Adds requestParameters to the dict returned by aws_rule_context() helper function

Testing

@pbnj-dragon pbnj-dragon requested a review from a team as a code owner October 22, 2024 23:26
@arielkr256 arielkr256 added the enhancement New feature or request label Oct 29, 2024
@arielkr256
Copy link
Contributor

@pbnj-dragon in general I really like this addition, my only hesitation is that requestParameters can sometimes be quite large. Here are some stats for a 24 hour CloudTrail log sample:

{ "avg_length": 140.80603, "avg_num_elements": 1.830889, "max_length": 10109, "max_num_elements": 15, "min_length": 11, "min_num_elements": 1 }

I'm checking internally to see if we have a recommended maximum for alert context, but curious if there are specific sub-fields or eventNames within CloudTrail that we could narrow this down to.

@pbnj-dragon
Copy link
Contributor Author

Hi @arielkr256 ,

but curious if there are specific sub-fields or eventNames within CloudTrail that we could narrow this down to.

It's less about particular sub-fields and more about the full context associated with the event.

We are trying to provide the full context in the alert that is sent out of Panther (e.g. Jira Alert Destination). Without that context, the alert is inactionable. For a "Public RDS Restore" alert, for example, users are presented with basic info (e.g. region, event name, event source, AWS account ID, source IP address, user agent, user/caller identity), but no info about the resource itself that the alert is about (e.g. db instance identifier, db snapshot identifier, db subnet group, db port, ...etc), all of which is in the requestParameters.

Public RDS Restore Alert 
{
  "awsRegion": "...",
  "eventName": "RestoreDBInstanceFromDBSnapshot",
  "eventSource": "rds.amazonaws.com",
  "recipientAccountId": "111222333444",
  "sourceIPAddress": "xx.xx.xx.xx",
  "userAgent": "...",
  "userIdentity": {
    "accessKeyId": "ASIAXXX",
    "accountId": "111222333444",
    "arn": "...",
    "principalId": "...",
    "sessionContext": {
      "attributes": {
        "creationDate": "YYYY-MM-DDTHH:MM:SSZ",
        "mfaAuthenticated": "false"
      },
      "sessionIssuer": {
        "accountId": "111222333444",
        "arn": "...",
        "principalId": "...",
        "type": "Role",
        "userName": "..."
      },
      "webIdFederationData": {}
    },
    "type": "AssumedRole"
  }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Consider adding requestParameters to aws_rule_context() helper
2 participants
@pbnj-dragon @arielkr256