-
Notifications
You must be signed in to change notification settings - Fork 469
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[New Rule] AWS STS AssumeRole Usage #1214
[New Rule] AWS STS AssumeRole Usage #1214
Conversation
"*ipapi.co", "*ip-lookup.net", "*ipstack.com"
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
This reverts commit b57fd60.
[Rule Tuning] AWS IAM Deactivation of MFA Device (elastic#1132)
[New Rule] Threat intel indicator match rule (elastic#1133)
Catching Up
…tion_sts_assumerole_abuse.toml
…rivilege_escalation_sts_assumerole_usage.toml
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
…ge.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml
Outdated
Show resolved
Hide resolved
rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml
Outdated
Show resolved
Hide resolved
…ge.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
index = ["filebeat-*", "logs-aws*"] | ||
language = "kuery" | ||
license = "Elastic License v2" | ||
name = "AWS STS AssumeRole Usage" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we expand STS
Also are there references to add?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@brokensound77 does these changes solve this one?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After the remaining comment is resolved, then this LGTM 👍
* Update impact_iam_deactivate_mfa_device.toml #1111 * Update impact_iam_deactivate_mfa_device.toml * Update discovery_post_exploitation_external_ip_lookup.toml "*ipapi.co", "*ip-lookup.net", "*ipstack.com" * Update rules/aws/impact_iam_deactivate_mfa_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Revert "Update discovery_post_exploitation_external_ip_lookup.toml" This reverts commit b57fd60. * Update * New Rule: Okta User Attempted Unauthorized Access * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml * Create persistence_new-or-modified-federation-domain.toml * Delete persistence_new-or-modified-federation-domain.toml * Create lateral_movement_sts_assumerole_abuse.toml * Rename lateral_movement_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update * Update .gitignore Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update and rename privilege_escalation_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_usage.toml * Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Add note field * Update privilege_escalation_sts_assumerole_usage.toml * Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Adding Reference * Expand STS Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> (cherry picked from commit d7eab5b)
* Update impact_iam_deactivate_mfa_device.toml #1111 * Update impact_iam_deactivate_mfa_device.toml * Update discovery_post_exploitation_external_ip_lookup.toml "*ipapi.co", "*ip-lookup.net", "*ipstack.com" * Update rules/aws/impact_iam_deactivate_mfa_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Revert "Update discovery_post_exploitation_external_ip_lookup.toml" This reverts commit b57fd60. * Update * New Rule: Okta User Attempted Unauthorized Access * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml * Create persistence_new-or-modified-federation-domain.toml * Delete persistence_new-or-modified-federation-domain.toml * Create lateral_movement_sts_assumerole_abuse.toml * Rename lateral_movement_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update * Update .gitignore Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update and rename privilege_escalation_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_usage.toml * Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Add note field * Update privilege_escalation_sts_assumerole_usage.toml * Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Adding Reference * Expand STS Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> (cherry picked from commit d7eab5b)
* Update impact_iam_deactivate_mfa_device.toml #1111 * Update impact_iam_deactivate_mfa_device.toml * Update discovery_post_exploitation_external_ip_lookup.toml "*ipapi.co", "*ip-lookup.net", "*ipstack.com" * Update rules/aws/impact_iam_deactivate_mfa_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Revert "Update discovery_post_exploitation_external_ip_lookup.toml" This reverts commit b57fd60. * Update * New Rule: Okta User Attempted Unauthorized Access * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Update privilege_escalation_okta_user_attempted_unauthorized_access.toml * Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml * Create persistence_new-or-modified-federation-domain.toml * Delete persistence_new-or-modified-federation-domain.toml * Create lateral_movement_sts_assumerole_abuse.toml * Rename lateral_movement_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update * Update .gitignore Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update privilege_escalation_sts_assumerole_abuse.toml * Update and rename privilege_escalation_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_usage.toml * Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Add note field * Update privilege_escalation_sts_assumerole_usage.toml * Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Adding Reference * Expand STS Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> (cherry picked from commit d7eab5b)
Issues
Resolves #1153
Relates #955
Summary
Contributor checklist