To use CSPM to monitor AWS Admin Console Login after Office Hours

[bruce-wh-li]

Describe the Issue To add rule and policy to send notification to alert Admin Console Login event

Additional Context To detect Admin Console login in odd hours

• To Create Rule Set using GSL to detect Console Login
• To update Rule to filter odd hour login
• To Add Policy to apply rule to Core Account to PoC
• Set severity level to informational ?
• MS Team Channel Notification
• SIEM integration investigation

Acceptance Criteria

• [ ] to receive notification in Team Channel or Email A set of pre-defined requirement that need to be met in order to mark the user story as “done”. See below for team agreement details.

[bruce-wh-li]

Office 365 Connectors within Teams will be retired soon. The Workflows app provides similar functionality with more scalability and security. Existing connectors will require a URL update to function after December 31st, 2024.

[bruce-wh-li]

CloudGuard CSPM is capable to detect admin login and can send alert via email notification. but, it lacks notification integration with other apps such as slack, team as of now.

CSPM->RuleSet->AWS BCGOV Best... cloudtrail should not have event.name like '%console%' or event.name like '%signintoken%'

Closed