search

panther-labs / panther-analysis

Built-in Panther detection rules and policies
https://panther.com/
Apache License 2.0
339 stars 173 forks source link

Update aws_console_login_without_mfa.py #1237

Closed JPhenglavong closed 5 months ago

JPhenglavong commented 6 months ago

is_new_account has been checking with only recipientAccountId but our new aws account indicator creation rule has been checking for "new_account - recipientAccountId..."

Adding new_account + recipientAccountId so it can match potential cached values

Background

### Changes - ### Testing -
JPhenglavong commented 6 months ago

Hm, I'm not entirely sure why Zoom.Operations is just now requiring a {region} field, see error: [FAIL] User Creation Event - Zoom [FAIL] [rule] NoRegionError: You must specify a region.

Checking through https://github.com/panther-labs/panther-analysis/tree/release/rules/zoom_operation_rules and not seeing how my changes on account_id had an effect on region 🤔

Is it as simple as adding a "region" : "us-west" type of field to the test data here? https://github.com/panther-labs/panther-analysis/blob/c8b6ad924885bc8103e1e910aaa2504020179d44/rules/indicator_creation_rules/new_user_account_logging.yml#L85

Going to check the zoom docs

github-actions[bot] commented 5 months ago

:scream: looks like some things could be wrong with the packs

[INFO][root]: ignoring file dependabot.yml