Merge pull request #632 from splunk/fixedawsstsassumerole

fixedassumedroleaws
splunk · Sep 17, 2020 · 784a0bb · 784a0bb
2 parents a156661 + 3d14c80
commit 784a0bb
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/detections/aws_detect_sts_assume_role_abuse.yml b/detections/aws_detect_sts_assume_role_abuse.yml
@@ -6,7 +6,7 @@ id: 8e565314-b6a2-46d8-9f05-1a34a176a662
 known_false_positives: "Sts:AssumeRole can be very noisy as it is a standard mechanism to provide cross account and cross resources access. This search can be adjusted to provide specific values to identify cases of abuse."
 name: "aws detect sts assume role abuse"
 references: []
-search: '`aws_cloudwatchlogs_eks` user_type=AssumedRole userIdentity.sessionContext.sessionIssuer.type=Role | table sourceIPAddress userIdentity.arn user_agent user_access_key status action requestParameters.roleName responseElements.role.roleName responseElements.role.createDate | `aws_detect_sts_assume_role_abuse_filter`'
+search: '`cloudtrail` user_type=AssumedRole userIdentity.sessionContext.sessionIssuer.type=Role | table sourceIPAddress userIdentity.arn user_agent user_access_key status action requestParameters.roleName responseElements.role.roleName responseElements.role.createDate | `aws_detect_sts_assume_role_abuse_filter`'
 tags:
   analytics_story:
     - "AWS Cross Account Activity"