removed protocol inclusion in query

terrancedejesus · terrancedejesus · commit 653399e7c59d · 2024-11-01T10:53:25.000-04:00
diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json
@@ -150,8 +150,7 @@
   "logs-aws.cloudtrail-*": {
     "aws.cloudtrail.flattened.request_parameters.cidrIp": "keyword",
     "aws.cloudtrail.flattened.request_parameters.fromPort": "keyword",
-    "aws.cloudtrail.flattened.request_parameters.roleArn": "keyword",
-    "aws.cloudtrail.request_parameters.protocol": "keyword"
+    "aws.cloudtrail.flattened.request_parameters.roleArn": "keyword"
   },
   "logs-azure.signinlogs-*": {
     "azure.signinlogs.properties.conditional_access_audiences.application_id": "keyword"
diff --git a/rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml b/rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml
@@ -78,7 +78,7 @@ query = '''
 event.dataset: "aws.cloudtrail"
     and event.provider: "sns.amazonaws.com"
     and event.action: "Subscribe"
-    and aws.cloudtrail.request_parameters.protocol: "email"
+    and aws.cloudtrail.request_parameters: *protocol=email*
 '''
 
 
