Skip to content

Commit 4ae43fe

Browse files
imays11imays11
committed
adding iam event.category
1 parent f16474e commit 4ae43fe

3 files changed

+3
-3
lines changed

rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -110,7 +110,7 @@ timestamp_override = "event.ingested"
110110
type = "eql"
111111

112112
query = '''
113-
any where event.dataset == "aws.cloudtrail"
113+
iam where event.dataset == "aws.cloudtrail"
114114
and event.provider == "iam.amazonaws.com"
115115
and event.action == "AttachGroupPolicy"
116116
and event.outcome == "success"

rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -109,7 +109,7 @@ timestamp_override = "event.ingested"
109109
type = "eql"
110110

111111
query = '''
112-
any where event.dataset == "aws.cloudtrail"
112+
iam where event.dataset == "aws.cloudtrail"
113113
and event.provider == "iam.amazonaws.com"
114114
and event.action == "AttachRolePolicy"
115115
and event.outcome == "success"

rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -115,7 +115,7 @@ timestamp_override = "event.ingested"
115115
type = "eql"
116116

117117
query = '''
118-
any where event.dataset == "aws.cloudtrail"
118+
iam where event.dataset == "aws.cloudtrail"
119119
and event.provider == "iam.amazonaws.com"
120120
and event.action == "AttachUserPolicy"
121121
and event.outcome == "success"

0 commit comments

Comments
 (0)