Merge pull request #1977 from rachelrice/update_aws_assumerole

Update AWS STS AssumeRole Misuse rule
2024-11-07 01:45:21 +00:00 · 2021-09-03 08:11:52 +02:00 · 2021-09-03 08:11:52 +02:00 · b0f8275f72
commit b0f8275f72
parent b731c20594 78d3fa4795
1 changed files with 1 additions and 2 deletions
--- a/rules/cloud/aws/aws_sts_assumerole_misuse.yml
+++ b/rules/cloud/aws/aws_sts_assumerole_misuse.yml
@ -12,8 +12,7 @@ logsource:
    service: cloudtrail
 detection:
    selection:
-        eventSource: sts.amazonaws.com
-        eventName: AssumeRole
+        userIdentity.type: AssumedRole
        userIdentity.sessionContext.sessionIssuer.type: Role
    condition: selection
 level: low