fix - IAM User takeover Correlation Rule correlating on IP instead of user

panther-labs / panther-analysis

Built-in Panther detection rules and policies

https://panther.com/

Apache License 2.0

339 stars 173 forks source link

fix - IAM User takeover Correlation Rule correlating on IP instead of user #1362

Closed akozlovets098 closed 1 month ago

akozlovets098 commented 1 month ago

Background

Fixes https://github.com/panther-labs/panther-analysis/issues/1359

Changes

Made IAM User takeover Correlation Rule correlate on user instead of IP

akozlovets098 commented 1 month ago

I think this need to correlate on both IP and target user name.

@arielkr256 We cannot correlate on both. We can add some context field to both rules that will contain both IP and user name and try correlating on this list, but I'm not sure that this is a good idea (it is not an explicit approach) and that it will work. What do you think about that?