adding source address

terrancedejesus · terrancedejesus · commit 836a81213764 · 2024-11-08T17:30:42.000-05:00
diff --git a/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml b/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml
@@ -104,6 +104,7 @@ event.dataset: "aws.cloudtrail"
 field_names = [
     "@timestamp",
     "user.name",
+    "source.address",
     "aws.cloudtrail.user_identity.type",
     "aws.cloudtrail.user_identity.arn",
     "user_agent.original",
diff --git a/rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml b/rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml
@@ -87,6 +87,7 @@ event.dataset: "aws.cloudtrail"
 field_names = [
     "@timestamp",
     "user.name",
+    "source.address",
     "aws.cloudtrail.user_identity.arn",
     "aws.cloudtrail.user_identity.type",
     "user_agent.original",
diff --git a/rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml b/rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml
@@ -85,6 +85,7 @@ event.dataset: "aws.cloudtrail"
 field_names = [
     "@timestamp",
     "user.name",
+    "source.address",
     "aws.cloudtrail.user_identity.arn",
     "aws.cloudtrail.user_identity.type",
     "user_agent.original",
diff --git a/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml b/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml
@@ -100,6 +100,7 @@ event.dataset: "aws.cloudtrail"
 field_names = [
     "@timestamp",
     "user.name",
+    "source.address",
     "aws.cloudtrail.user_identity.arn",
     "aws.cloudtrail.user_identity.type",
     "user_agent.original",
diff --git a/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml
@@ -111,8 +111,8 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index
     event.action,
     event.outcome,
     user.name,
+    source.address,
     user.target.name,
-    related.user,
     user_agent.original,
     aws.cloudtrail.request_parameters,
     aws.cloudtrail.response_elements,
@@ -124,6 +124,7 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index
 field_names = [
     "@timestamp",
     "user.name",
+    "source.address",
     "aws.cloudtrail.user_identity.arn",
     "aws.cloudtrail.user_identity.type",
     "user_agent.original",
diff --git a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml
@@ -115,13 +115,15 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index
     aws.cloudtrail.user_identity.arn,
     related.user,
     user_agent.original,
-    user.name
+    user.name,
+    source.address
 '''
 
 [rule.investigation_fields]
 field_names = [
     "@timestamp",
     "user.name",
+    "source.address",
     "aws.cloudtrail.user_identity.arn",
     "user_agent.original",
     "target.userName",
diff --git a/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml b/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml
@@ -101,6 +101,7 @@ event.dataset: "aws.cloudtrail"
 field_names = [
     "@timestamp",
     "user.name",
+    "source.address",
     "aws.cloudtrail.user_identity.arn",
     "aws.cloudtrail.user_identity.type",
     "user_agent.original",
