Update rules/integrations/aws/privilege_escalation_sts_temp_creds_via_assume_role.toml

terrancedejesus · Aegrah · web-flow · commit d53c0d80850b · 2024-11-04T19:41:13.000-05:00
Co-authored-by: Ruben Groenewoud &lt;78494512+Aegrah@users.noreply.github.com&gt;
diff --git a/rules/integrations/aws/privilege_escalation_sts_temp_creds_via_assume_role.toml b/rules/integrations/aws/privilege_escalation_sts_temp_creds_via_assume_role.toml
@@ -93,13 +93,14 @@ event.dataset: "aws.cloudtrail"
     and event.provider: "sts.amazonaws.com"
     and event.action: "AssumeRole"
     and event.outcome: "success"
-    and not (aws.cloudtrail.user_identity.invoked_by: (
-                "config.amazonaws.com" or
-                "securityhub.amazonaws.com" or
-                "sso.amazonaws.com"
-                )
-            )
-    and not (aws.cloudtrail.resources.arn: (*Amazon* or *AWS* or *Elastic* or *Wiz* or *DataDog*))
+    and not (
+      aws.cloudtrail.user_identity.invoked_by: (
+         "config.amazonaws.com" or
+          "securityhub.amazonaws.com" or
+          "sso.amazonaws.com"
+        ) or
+      aws.cloudtrail.resources.arn: (*Amazon* or *AWS* or *Elastic* or *Wiz* or *DataDog*)
+    )
 '''
 
 
