search

SigmaHQ / sigma

Main Sigma Rule Repository
Other
8.19k stars 2.17k forks source link

Update AWS Rule to use fieldref modifier instead of contains #4836

Closed jamesc-grafana closed 5 months ago

jamesc-grafana commented 5 months ago

Summary of the Pull Request

In deploying this rule, the Grafana SecOps team discovered that the contains modifier does not reference the field that this rule is trying to reference. Instead, we discovered that there is another modifier in pySigma that will enable field referencing which is called fieldref which enables us to update pySigma-backend-loki to reflect this modifier.

Changelog

update: AWS User Login Profile Was Modified - use fieldref instead of contains modifier

Example Log Event

An (abridged) event we want to match on:

{"eventName": "UpdateLoginProfile", "userIdentity": {"arn": "arn:aws:iam::123456789012:user/OrgAdmin"}, "requestParameters": {"userName": "arn:aws:iam::123456789012:user/Alice"}}

Whereas something we don't want to detect on:

{"eventName": "UpdateLoginProfile", "userIdentity": {"arn": "arn:aws:iam::123456789012:user/Alice"}, "requestParameters": {"userName": "arn:aws:iam::123456789012:user/Alice"}}

Fixed Issues

SigmaHQ Rule Creation Conventions

nasbench commented 5 months ago

@phantinuss I know we don't use the AWS rules but just to confirm with you. Using an unsupported modifier (internally) should be fine i suppose.