What is the bug?
Creating a custom detection rule, then a detector for that rule before creating any other detectors will prevent findings from being generated for all detectors.
How can one reproduce the bug?
Steps to reproduce the behavior:
- Start with a fresh cluster running security analytics
- Create the following detection rule
id: 25b9c01c-350d-4b95-bed1-836d04a4f473
logsource:
product: cloudtrail
title: AWS User Login Profile Was Modified - Chase
description: my rule
tags:
- attack.persistence
- attack.t1098
falsepositives:
- Legit User Account Administration
level: high
status: experimental
references:
- 'https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation'
author: Chase
detection:
selection_source:
eventSource: iam.amazonaws.com
eventName: UpdateLoginProfile
filter:
userIdentity.arn|contains: requestParameters.userName
condition: selection_source and not filter
- Create a detector with only the above rule
- Index the following document that should generate a finding:
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDA6ON6E4XEGITEXAMPLE",
"arn": "arn:aws:iam::888888888888:user/Mary",
"accountId": "888888888888",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "Mary",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-07-19T21:11:57Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-07-19T21:25:09Z",
"eventSource": "iam.amazonaws.com",
"eventName": "UpdateLoginProfile",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/iam.create-user",
"requestParameters": {
"userName": "Richard"
},
"responseElements": {
"user": {
"path": "/",
"arn": "arn:aws:iam::888888888888:user/Richard",
"userId": "AIDA6ON6E4XEP7EXAMPLE",
"createDate": "Jul 19, 2023 9:25:09 PM",
"userName": "Richard"
}
},
"requestID": "2d528c76-329e-410b-9516-EXAMPLE565dc",
"eventID": "ba0801a1-87ec-4d26-be87-EXAMPLE75bbb",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "888888888888",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "iam.amazonaws.com"
},
"sessionCredentialFromConsole": "true"
}
- Verify no finding is generated
What is the expected behavior?
Findings should still be generated when a custom detection rule is used in the initially created detector
What is your host/environment?
- OS: macOS
- Version: 3.0.0 snapshot
- Plugins: Security Analytics
Do you have any screenshots?
If applicable, add screenshots to help explain your problem.
Do you have any additional context?
When a detector is created with a default rule first, then a second detector is created with a custom rule, findings are generated. It looks specific to the first detector using a custom rule.
What is the bug?
Creating a custom detection rule, then a detector for that rule before creating any other detectors will prevent findings from being generated for all detectors.
How can one reproduce the bug?
Steps to reproduce the behavior:
What is the expected behavior?
Findings should still be generated when a custom detection rule is used in the initially created detector
What is your host/environment?
Do you have any screenshots?
If applicable, add screenshots to help explain your problem.
Do you have any additional context?
When a detector is created with a default rule first, then a second detector is created with a custom rule, findings are generated. It looks specific to the first detector using a custom rule.