[ { "id": "214554", "creationDate": 1678293187000, "name": "AWSWAFRuleDeletion", "message": "WAF rule or rulegroup deletion", "description": "WAF rule or rulegroup deletion", "categoryId": "2432", "subcategory": "lib.my.tutorials.AWS", "subcategoryId": "4452", "isActive": false, "isFavorite": false, "isAlertChain": false, "alertCorrelationContext": { "id": "67741", "nameId": "my.alert.tutorials.AWSWAFRuleDeletion", "ownerEmail": "john.smith@devo.com", "querySourceCode": "from cloud.aws.cloudtrail where eq(eventName,\"DeleteRule\") or eq(eventName,\"DeleteRuleGroup\") group every 1m select count() as count", "priority": 3, "correlationTrigger": { "kind": "each", "externalPeriod": null, "externalOffset": null, "internalPeriod": null, "internalOffset": null } }, "actionPolicyId": [] }, { "id": "214555", "creationDate": 1678293190000, "name": "AWSRootAccessConsoleLogin", "message": "Root access via console", "description": "Root access via console", "categoryId": "2432", "subcategory": "lib.my.tutorials.threats", "subcategoryId": "4453", "isActive": false, "isFavorite": false, "isAlertChain": false, "alertCorrelationContext": { "id": "67742", "nameId": "my.alert.tutorials.AWSRootAccessConsoleLogin", "ownerEmail": "john.smith@devo.com", "querySourceCode": "from cloud.aws.cloudtrail where eventSource=\"signin.amazonaws.com\" where eventName=\"ConsoleLogin\" select str(jqeval(jqcompile(\".ConsoleLogin\"), responseElements)) as loginResponse select str(jqeval(jqcompile(\".MFAUsed\"), additionalEventData)) as mfaUsed group every 1m by userName,userIdentity_principalId,userIdentity_type,mfaUsed,loginResponse where userIdentity_type=\"Root\" where loginResponse=\"Success\" select count() as count", "priority": 2, "correlationTrigger": { "kind": "each", "externalPeriod": null, "externalOffset": null, "internalPeriod": null, "internalOffset": null } }, "actionPolicyId": [] }]
Preview this Workflow on desktop