From b14b0a0bcfc121881e411b7bdb107e3e021189e7 Mon Sep 17 00:00:00 2001 From: Ryan Deivert Date: Tue, 7 Nov 2017 14:16:48 -0800 Subject: [PATCH 1/3] [parser] fixing bug with json parser --- stream_alert/rule_processor/parsers.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/stream_alert/rule_processor/parsers.py b/stream_alert/rule_processor/parsers.py index 1eeb0f67d..6fe050760 100644 --- a/stream_alert/rule_processor/parsers.py +++ b/stream_alert/rule_processor/parsers.py @@ -251,7 +251,10 @@ def _parse_records(self, schema, json_payload): if json_path_expression: LOGGER.debug('Parsing records with JSONPath') records_jsonpath = jsonpath_rw.parse(json_path_expression) - for match in records_jsonpath.find(json_payload): + matches = records_jsonpath.find(json_payload) + if not matches: + return False + for match in matches: record = match.value if envelope: record.update({ENVELOPE_KEY: envelope}) From 5bda7760a354bd866b581f5997900acff3c3333a Mon Sep 17 00:00:00 2001 From: Ryan Deivert Date: Tue, 7 Nov 2017 14:52:51 -0800 Subject: [PATCH 2/3] [tests] adding tests for previous changes --- tests/unit/conf/logs.json | 5 +---- .../test_classifier.py | 10 +++++----- .../test_helpers.py | 2 +- .../test_parsers.py | 18 +++++++++++++----- .../test_rules_engine.py | 8 +++----- 5 files changed, 23 insertions(+), 20 deletions(-) diff --git a/tests/unit/conf/logs.json b/tests/unit/conf/logs.json index 8aa0ee904..836d798b1 100644 --- a/tests/unit/conf/logs.json +++ b/tests/unit/conf/logs.json @@ -294,10 +294,7 @@ "detail": {}, "source": "string" }, - "parser": "json", - "configuration": { - "json_path": "logEvents[*].extractedFields" - } + "parser": "json" }, "json:regex_key_with_envelope": { "schema": { diff --git a/tests/unit/stream_alert_rule_processor/test_classifier.py b/tests/unit/stream_alert_rule_processor/test_classifier.py index 90eaeb990..6ce2fe738 100644 --- a/tests/unit/stream_alert_rule_processor/test_classifier.py +++ b/tests/unit/stream_alert_rule_processor/test_classifier.py @@ -46,7 +46,7 @@ def _prepare_and_classify_payload(self, service, entity, raw_record): """Helper method to return a preparsed and classified payload""" payload = load_stream_payload(service, entity, raw_record) - payload = payload.pre_parse().next() + payload = list(payload.pre_parse())[0] self.classifier.load_sources(service, entity) self.classifier.classify_record(payload) @@ -272,7 +272,7 @@ def test_parse_convert_fail(self, log_mock): raw_record = make_kinesis_raw_record(entity, kinesis_data) payload = load_stream_payload(service, entity, raw_record) - payload = payload.pre_parse().next() + payload = list(payload.pre_parse())[0] result = self.classifier._parse(payload) @@ -301,7 +301,7 @@ def test_mult_schema_match_success(self): self.classifier.load_sources(service, entity) - payload = payload.pre_parse().next() + payload = list(payload.pre_parse())[0] schema_matches = self.classifier._process_log_schemas(payload) @@ -330,7 +330,7 @@ def test_mult_schema_match_failure(self, log_mock): self.classifier.load_sources(service, entity) - payload = payload.pre_parse().next() + payload = list(payload.pre_parse())[0] schema_matches = self.classifier._process_log_schemas(payload) @@ -359,7 +359,7 @@ def test_mult_schema_match(self, log_mock): self.classifier.load_sources(service, entity) - payload = payload.pre_parse().next() + payload = list(payload.pre_parse())[0] schema_matches = self.classifier._process_log_schemas(payload) diff --git a/tests/unit/stream_alert_rule_processor/test_helpers.py b/tests/unit/stream_alert_rule_processor/test_helpers.py index 48a85e8f7..f5671814a 100644 --- a/tests/unit/stream_alert_rule_processor/test_helpers.py +++ b/tests/unit/stream_alert_rule_processor/test_helpers.py @@ -111,7 +111,7 @@ def load_and_classify_payload(config, service, entity, raw_record): # prepare the payloads payload = load_stream_payload(service, entity, raw_record) - payload = payload.pre_parse().next() + payload = list(payload.pre_parse())[0] classifier = StreamClassifier(config=config) classifier.load_sources(service, entity) classifier.classify_record(payload) diff --git a/tests/unit/stream_alert_rule_processor/test_parsers.py b/tests/unit/stream_alert_rule_processor/test_parsers.py index d01294f40..36bf03645 100644 --- a/tests/unit/stream_alert_rule_processor/test_parsers.py +++ b/tests/unit/stream_alert_rule_processor/test_parsers.py @@ -49,12 +49,8 @@ def teardown_class(cls): def _parser_type(cls): pass - def parser_helper(self, **kwargs): + def parser_helper(self, data, schema, options=None): """Helper to return the parser result""" - data = kwargs['data'] - schema = kwargs['schema'] - options = kwargs.get('options', {}) - parser = self.parser_class(options) parsed_result = parser.parse(schema, data) return parsed_result @@ -114,6 +110,18 @@ def test_non_string_input(self): assert_equal(len(parsed_data), 1) + def test_invalid_json_path(self): + """JSON Parser - Invalid JSON Path""" + # setup + schema = {'name': 'string', 'result': 'string'} + data = {'name': 'test', 'result': 'test'} + options = {'json_path': 'Records[*]'} + + # get parsed data + parsed_data = self.parser_helper(data=data, schema=schema, options=options) + + assert_false(parsed_data) + @patch('stream_alert.rule_processor.parsers.LOGGER') def test_invalid_json(self, mock_logging): """JSON Parser - Invalid Input""" diff --git a/tests/unit/stream_alert_rule_processor/test_rules_engine.py b/tests/unit/stream_alert_rule_processor/test_rules_engine.py index 97e14896b..d882cbb39 100644 --- a/tests/unit/stream_alert_rule_processor/test_rules_engine.py +++ b/tests/unit/stream_alert_rule_processor/test_rules_engine.py @@ -662,8 +662,7 @@ def test_match_types_helper(self): assert_equal(results, expected_results) def test_process_optional_logs(self): - """Rules Engine - Logs is optional when datatypes presented - """ + """Rules Engine - Logs is optional when datatypes are present""" @rule(datatypes=['sourceAddress'], outputs=['s3:sample_bucket']) def no_logs_has_datatypes(rec): # pylint: disable=unused-variable @@ -722,12 +721,11 @@ def has_logs_datatypes(rec): # pylint: disable=unused-variable assert_equal(len(alerts), 3) rule_names = ['no_logs_has_datatypes', 'has_logs_no_datatypes', - 'has_logs_datatypes' - ] + 'has_logs_datatypes'] assert_items_equal([alerts[i]['rule_name'] for i in range(3)], rule_names) def test_process_required_logs(self): - """Rules Engine - Logs is required when no datatypes defined.""" + """Rules Engine - Logs is required when no datatypes defined""" @rule(outputs=['s3:sample_bucket']) def match_ipaddress(): # pylint: disable=unused-variable """Testing rule to detect matching IP address""" From 3e0dd1930e7e5d180647137ee1079373104af127 Mon Sep 17 00:00:00 2001 From: Ryan Deivert Date: Tue, 7 Nov 2017 15:03:31 -0800 Subject: [PATCH 3/3] [tests] updating misconfigured test events --- .../cloudtrail_critical_api_calls.json | 776 +++++++++--------- .../cloudtrail/cloudtrail_put_object_acl.json | 498 +++++------ 2 files changed, 667 insertions(+), 607 deletions(-) diff --git a/tests/integration/rules/cloudtrail/cloudtrail_critical_api_calls.json b/tests/integration/rules/cloudtrail/cloudtrail_critical_api_calls.json index bb34622e5..be618a176 100644 --- a/tests/integration/rules/cloudtrail/cloudtrail_critical_api_calls.json +++ b/tests/integration/rules/cloudtrail/cloudtrail_critical_api_calls.json @@ -1,385 +1,427 @@ { - "records": [ - { - "data": { - "awsRegion": "us-west-2", - "eventID": "123aaac1-123d-456a-1k29a4dd2kea", - "eventName": "DeleteSubnet", - "eventSource": "ec2.amazonaws.com", - "eventTime": "2017-01-01T00:20:50Z", - "eventType": "AwsApiCall", - "eventVersion": "1.05", - "recipientAccountId": "123456789123", - "requestID": "...", - "requestParameters": { - "subnetId": "..." - }, - "responseElements": { - "_return": true - }, - "sourceIPAddress": "...", - "userAgent": "...", - "userIdentity": { - "accessKeyId": "...", - "accountId": "12345", - "arn": "...", - "principalId": "12345", - "sessionContext": { - "attributes": { - "creationDate": "...", - "mfaAuthenticated": "true" - } - }, - "type": "..." + "records": [ + { + "data": { + "Records": [ + { + "awsRegion": "us-west-2", + "eventID": "123aaac1-123d-456a-1k29a4dd2kea", + "eventName": "DeleteSubnet", + "eventSource": "ec2.amazonaws.com", + "eventTime": "2017-01-01T00:20:50Z", + "eventType": "AwsApiCall", + "eventVersion": "1.05", + "recipientAccountId": "123456789123", + "requestID": "...", + "requestParameters": { + "subnetId": "..." + }, + "responseElements": { + "_return": true + }, + "sourceIPAddress": "...", + "userAgent": "...", + "userIdentity": { + "accessKeyId": "...", + "accountId": "12345", + "arn": "...", + "principalId": "12345", + "sessionContext": { + "attributes": { + "creationDate": "...", + "mfaAuthenticated": "true" } + }, + "type": "..." + } + } + ] + }, + "description": "Deleting an AWS subnet (DeleteSubnet) will create an alert.", + "log": "cloudtrail:events", + "service": "s3", + "source": "prefix.cluster.sample.bucket", + "trigger_rules": [ + "cloudtrail_critical_api_calls" + ] + }, + { + "data": { + "Records": [ + { + "awsRegion": "us-west-2", + "eventID": "123aaac1-123d-456a-1k29a4dd2kea", + "eventName": "DeleteVpc", + "eventSource": "ec2.amazonaws.com", + "eventTime": "2017-01-01T00:20:50Z", + "eventType": "AwsApiCall", + "eventVersion": "1.05", + "recipientAccountId": "123456789123", + "requestID": "...", + "requestParameters": { + "vpcId": "..." }, - "description": "Deleting an AWS subnet (DeleteSubnet) will create an alert.", - "log": "cloudtrail:events", - "service": "s3", - "source": "prefix.cluster.sample.bucket", - "trigger_rules": ["cloudtrail_critical_api_calls"] - }, - { - "data": { - "awsRegion": "us-west-2", - "eventID": "123aaac1-123d-456a-1k29a4dd2kea", - "eventName": "DeleteVpc", - "eventSource": "ec2.amazonaws.com", - "eventTime": "2017-01-01T00:20:50Z", - "eventType": "AwsApiCall", - "eventVersion": "1.05", - "recipientAccountId": "123456789123", - "requestID": "...", - "requestParameters": { - "vpcId": "..." - }, - "responseElements": { - "_return": true - }, - "sourceIPAddress": "...", - "userAgent": "...", - "userIdentity": { - "accessKeyId": "...", - "accountId": "12345", - "arn": "...", - "principalId": "12345", - "sessionContext": { - "attributes": { - "creationDate": "...", - "mfaAuthenticated": "true" - } - }, - "type": "..." + "responseElements": { + "_return": true + }, + "sourceIPAddress": "...", + "userAgent": "...", + "userIdentity": { + "accessKeyId": "...", + "accountId": "12345", + "arn": "...", + "principalId": "12345", + "sessionContext": { + "attributes": { + "creationDate": "...", + "mfaAuthenticated": "true" } + }, + "type": "..." + } + } + ] + }, + "description": "Deleting an AWS VPC (DeleteVpc) will create an alert.", + "log": "cloudtrail:events", + "service": "s3", + "source": "prefix.cluster.sample.bucket", + "trigger_rules": [ + "cloudtrail_critical_api_calls" + ] + }, + { + "data": { + "Records": [ + { + "awsRegion": "us-west-2", + "eventID": "123aaac1-123d-456a-1k29a4dd2kea", + "eventName": "UpdateTrail", + "eventSource": "cloudtrail.amazonaws.com", + "eventTime": "2017-01-01T00:20:50Z", + "eventType": "AwsApiCall", + "eventVersion": "1.05", + "recipientAccountId": "123456789123", + "requestID": "...", + "requestParameters": { + "cloudWatchLogsLogGroupArn": "...", + "cloudWatchLogsRoleArn": "...", + "enableLogFileValidation": true, + "isMultiRegionTrail": true, + "kmsKeyId": "", + "name": "..." }, - "description": "Deleting an AWS VPC (DeleteVpc) will create an alert.", - "log": "cloudtrail:events", - "service": "s3", - "source": "prefix.cluster.sample.bucket", - "trigger_rules": ["cloudtrail_critical_api_calls"] - }, - { - "data": { - "awsRegion": "us-west-2", - "eventID": "123aaac1-123d-456a-1k29a4dd2kea", - "eventName": "UpdateTrail", - "eventSource": "cloudtrail.amazonaws.com", - "eventTime": "2017-01-01T00:20:50Z", - "eventType": "AwsApiCall", - "eventVersion": "1.05", - "recipientAccountId": "123456789123", - "requestID": "...", - "requestParameters": { - "cloudWatchLogsLogGroupArn": "...", - "cloudWatchLogsRoleArn": "...", - "enableLogFileValidation": true, - "isMultiRegionTrail": true, - "kmsKeyId": "", - "name": "..." - }, - "responseElements": { - "cloudWatchLogsLogGroupArn": "...", - "cloudWatchLogsRoleArn": "...", - "includeGlobalServiceEvents": true, - "isMultiRegionTrail": true, - "logFileValidationEnabled": true, - "name": "...", - "s3BucketName": "...", - "trailARN": "..." - }, - "sourceIPAddress": "...", - "userAgent": "...", - "userIdentity": { - "accessKeyId": "...", - "accountId": "12345", - "arn": "...", - "principalId": "12345", - "sessionContext": { - "attributes": { - "creationDate": "...", - "mfaAuthenticated": "true" - } - }, - "type": "..." + "responseElements": { + "cloudWatchLogsLogGroupArn": "...", + "cloudWatchLogsRoleArn": "...", + "includeGlobalServiceEvents": true, + "isMultiRegionTrail": true, + "logFileValidationEnabled": true, + "name": "...", + "s3BucketName": "...", + "trailARN": "..." + }, + "sourceIPAddress": "...", + "userAgent": "...", + "userIdentity": { + "accessKeyId": "...", + "accountId": "12345", + "arn": "...", + "principalId": "12345", + "sessionContext": { + "attributes": { + "creationDate": "...", + "mfaAuthenticated": "true" } + }, + "type": "..." + } + } + ] + }, + "description": "Updating an AWS CloudTrail trail (UpdateTrail) will create an alert.", + "log": "cloudtrail:events", + "service": "s3", + "source": "prefix.cluster.sample.bucket", + "trigger_rules": [ + "cloudtrail_critical_api_calls" + ] + }, + { + "data": { + "Records": [ + { + "awsRegion": "us-west-2", + "eventID": "123aaac1-123d-456a-1k29a4dd2kea", + "eventName": "StopLogging", + "eventSource": "cloudtrail.amazonaws.com", + "eventTime": "2017-01-01T00:20:50Z", + "eventType": "AwsApiCall", + "eventVersion": "1.05", + "recipientAccountId": "123456789123", + "requestID": "...", + "requestParameters": { + "name": "..." }, - "description": "Updating an AWS CloudTrail trail (UpdateTrail) will create an alert.", - "log": "cloudtrail:events", - "service": "s3", - "source": "prefix.cluster.sample.bucket", - "trigger_rules": ["cloudtrail_critical_api_calls"] - }, - { - "data": { - "awsRegion": "us-west-2", - "eventID": "123aaac1-123d-456a-1k29a4dd2kea", - "eventName": "StopLogging", - "eventSource": "cloudtrail.amazonaws.com", - "eventTime": "2017-01-01T00:20:50Z", - "eventType": "AwsApiCall", - "eventVersion": "1.05", - "recipientAccountId": "123456789123", - "requestID": "...", - "requestParameters": { - "name": "..." - }, - "responseElements": null, - "sourceIPAddress": "...", - "userAgent": "...m", - "userIdentity": { - "accessKeyId": "...", - "accountId": "12345", - "arn": "...", - "principalId": "12345", - "sessionContext": { - "attributes": { - "creationDate": "...", - "mfaAuthenticated": "false" - } - }, - "type": "..." + "responseElements": null, + "sourceIPAddress": "...", + "userAgent": "...m", + "userIdentity": { + "accessKeyId": "...", + "accountId": "12345", + "arn": "...", + "principalId": "12345", + "sessionContext": { + "attributes": { + "creationDate": "...", + "mfaAuthenticated": "false" } + }, + "type": "..." + } + } + ] + }, + "description": "Suspending the recording of AWS API calls and log file delivery for a trail will create an alert.", + "log": "cloudtrail:events", + "service": "s3", + "source": "prefix.cluster.sample.bucket", + "trigger_rules": [ + "cloudtrail_critical_api_calls" + ] + }, + { + "data": { + "Records": [ + { + "awsRegion": "us-west-2", + "eventID": "123aaac1-123d-456a-1k29a4dd2kea", + "eventName": "DeleteDBCluster", + "eventSource": "rds.amazonaws.com", + "eventTime": "2017-01-01T00:20:50Z", + "eventType": "AwsApiCall", + "eventVersion": "1.05", + "recipientAccountId": "123456789123", + "requestID": "...", + "requestParameters": { + "dBClusterIdentifier": "...", + "skipFinalSnapshot": true }, - "description": "Suspending the recording of AWS API calls and log file delivery for a trail will create an alert.", - "log": "cloudtrail:events", - "service": "s3", - "source": "prefix.cluster.sample.bucket", - "trigger_rules": ["cloudtrail_critical_api_calls"] - }, - { - "data": { - "awsRegion": "us-west-2", - "eventID": "123aaac1-123d-456a-1k29a4dd2kea", - "eventName": "DeleteDBCluster", - "eventSource": "rds.amazonaws.com", - "eventTime": "2017-01-01T00:20:50Z", - "eventType": "AwsApiCall", - "eventVersion": "1.05", - "recipientAccountId": "123456789123", - "requestID": "...", - "requestParameters": { - "dBClusterIdentifier": "...", - "skipFinalSnapshot": true + "responseElements": { + "allocatedStorage": 1, + "associatedRoles": [], + "availabilityZones": [ + "...", + "...", + "..." + ], + "backupRetentionPeriod": 1, + "clusterCreateTime": "...", + "dBClusterArn": "...", + "dBClusterIdentifier": "...", + "dBClusterMembers": [ + { + "dBClusterParameterGroupStatus": "...", + "dBInstanceIdentifier": "...", + "isClusterWriter": true, + "promotionTier": 1 }, - "responseElements": { - "allocatedStorage": 1, - "associatedRoles": [ - ], - "availabilityZones": [ - "...", - "...", - "..." - ], - "backupRetentionPeriod": 1, - "clusterCreateTime": "...", - "dBClusterArn": "...", - "dBClusterIdentifier": "...", - "dBClusterMembers": [ - { - "dBClusterParameterGroupStatus": "...", - "dBInstanceIdentifier": "...", - "isClusterWriter": true, - "promotionTier": 1 - }, - { - "dBClusterParameterGroupStatus": "...", - "dBInstanceIdentifier": "...", - "isClusterWriter": false, - "promotionTier": 1 - } - ], - "dBClusterParameterGroup": "...", - "dBSubnetGroup": "...", - "databaseName": "...", - "dbClusterResourceId": "...", - "earliestRestorableTime": "...", - "endpoint": "...", - "engine": "...", - "engineVersion": "...", - "hostedZoneId": "...", - "iAMDatabaseAuthenticationEnabled": false, - "latestRestorableTime": "...", - "masterUsername": "...", - "multiAZ": true, - "port": 3306, - "preferredBackupWindow": "...", - "preferredMaintenanceWindow": "...", - "readReplicaIdentifiers": [ - ], - "readerEndpoint": "...", - "status": "...", - "storageEncrypted": false, - "vpcSecurityGroups": [ - { - "status": "...", - "vpcSecurityGroupId": "..." - } - ] - }, - "sourceIPAddress": "...", - "userAgent": "...", - "userIdentity": { - "accessKeyId": "...", - "accountId": "12345", - "arn": "...", - "principalId": "12345", - "sessionContext": { - "attributes": { - "creationDate": "...", - "mfaAuthenticated": "false" - } - }, - "type": "..." + { + "dBClusterParameterGroupStatus": "...", + "dBInstanceIdentifier": "...", + "isClusterWriter": false, + "promotionTier": 1 + } + ], + "dBClusterParameterGroup": "...", + "dBSubnetGroup": "...", + "databaseName": "...", + "dbClusterResourceId": "...", + "earliestRestorableTime": "...", + "endpoint": "...", + "engine": "...", + "engineVersion": "...", + "hostedZoneId": "...", + "iAMDatabaseAuthenticationEnabled": false, + "latestRestorableTime": "...", + "masterUsername": "...", + "multiAZ": true, + "port": 3306, + "preferredBackupWindow": "...", + "preferredMaintenanceWindow": "...", + "readReplicaIdentifiers": [], + "readerEndpoint": "...", + "status": "...", + "storageEncrypted": false, + "vpcSecurityGroups": [ + { + "status": "...", + "vpcSecurityGroupId": "..." } + ] }, - "description": "Deleting a database cluster (DeleteDBCluster) will create an alert.", - "log": "cloudtrail:events", - "service": "s3", - "source": "prefix.cluster.sample.bucket", - "trigger_rules": ["cloudtrail_critical_api_calls"] - }, - { - "data": { - "awsRegion": "us-west-2", - "eventID": "123aaac1-123d-456a-1k29a4dd2kea", - "eventName": "StopConfigurationRecorder", - "eventSource": "config.amazonaws.com", - "eventTime": "2017-01-01T00:20:50Z", - "eventType": "AwsApiCall", - "eventVersion": "1.05", - "recipientAccountId": "123456789123", - "requestID": "...", - "requestParameters": { - "configurationRecorderName": "..." - }, - "responseElements": null, - "sourceIPAddress": "...", - "userAgent": "...", - "userIdentity": { - "accessKeyId": "...", - "accountId": "12345", - "arn": "...", - "principalId": "12345", - "sessionContext": { - "attributes": { - "creationDate": "...", - "mfaAuthenticated": "false" - } - }, - "type": "..." + "sourceIPAddress": "...", + "userAgent": "...", + "userIdentity": { + "accessKeyId": "...", + "accountId": "12345", + "arn": "...", + "principalId": "12345", + "sessionContext": { + "attributes": { + "creationDate": "...", + "mfaAuthenticated": "false" } + }, + "type": "..." + } + } + ] + }, + "description": "Deleting a database cluster (DeleteDBCluster) will create an alert.", + "log": "cloudtrail:events", + "service": "s3", + "source": "prefix.cluster.sample.bucket", + "trigger_rules": [ + "cloudtrail_critical_api_calls" + ] + }, + { + "data": { + "Records": [ + { + "awsRegion": "us-west-2", + "eventID": "123aaac1-123d-456a-1k29a4dd2kea", + "eventName": "StopConfigurationRecorder", + "eventSource": "config.amazonaws.com", + "eventTime": "2017-01-01T00:20:50Z", + "eventType": "AwsApiCall", + "eventVersion": "1.05", + "recipientAccountId": "123456789123", + "requestID": "...", + "requestParameters": { + "configurationRecorderName": "..." }, - "description": "Suspending recording of resource changes through AWS Config (StopConfigurationRecorder) will create an alert.", - "log": "cloudtrail:events", - "service": "s3", - "source": "prefix.cluster.sample.bucket", - "trigger_rules": ["cloudtrail_critical_api_calls"] - }, - { - "data": { - "awsRegion": "us-west-2", - "eventID": "123aaac1-123d-456a-1k29a4dd2kea", - "eventName": "DeleteFlowLogs", - "eventSource": "ec2.amazonaws.com", - "eventTime": "2017-01-01T00:20:50Z", - "eventType": "AwsApiCall", - "eventVersion": "1.05", - "recipientAccountId": "123456789123", - "requestID": "...", - "requestParameters": { - "flowLogId": [ - "..." - ] - }, - "responseElements": { - "unsuccessful": [ - ] - }, - "sourceIPAddress": "...", - "userAgent": "...", - "userIdentity": { - "accessKeyId": "...", - "accountId": "12345", - "arn": "...", - "invokedBy": "...", - "principalId": "12345", - "sessionContext": { - "attributes": { - "creationDate": "...", - "mfaAuthenticated": "true" - } - }, - "type": "..." + "responseElements": null, + "sourceIPAddress": "...", + "userAgent": "...", + "userIdentity": { + "accessKeyId": "...", + "accountId": "12345", + "arn": "...", + "principalId": "12345", + "sessionContext": { + "attributes": { + "creationDate": "...", + "mfaAuthenticated": "false" } + }, + "type": "..." + } + } + ] + }, + "description": "Suspending recording of resource changes through AWS Config (StopConfigurationRecorder) will create an alert.", + "log": "cloudtrail:events", + "service": "s3", + "source": "prefix.cluster.sample.bucket", + "trigger_rules": [ + "cloudtrail_critical_api_calls" + ] + }, + { + "data": { + "Records": [ + { + "awsRegion": "us-west-2", + "eventID": "123aaac1-123d-456a-1k29a4dd2kea", + "eventName": "DeleteFlowLogs", + "eventSource": "ec2.amazonaws.com", + "eventTime": "2017-01-01T00:20:50Z", + "eventType": "AwsApiCall", + "eventVersion": "1.05", + "recipientAccountId": "123456789123", + "requestID": "...", + "requestParameters": { + "flowLogId": [ + "..." + ] }, - "description": "Deleting AWS network flow logs (DeleteFlowLogs) will create an alert.", - "log": "cloudtrail:events", - "service": "s3", - "source": "prefix.cluster.sample.bucket", - "trigger_rules": ["cloudtrail_critical_api_calls"] - }, - { - "data": { - "awsRegion": "us-west-2", - "eventID": "123aaac1-123d-456a-1k29a4dd2kea", - "eventName": "DescribeFlowLogs", - "eventSource": "ec2.amazonaws.com", - "eventTime": "2017-01-01T00:20:50Z", - "eventType": "AwsApiCall", - "eventVersion": "1.05", - "recipientAccountId": "123456789123", - "requestID": "...", - "requestParameters": { - "flowLogId": [ - "..." - ] - }, - "responseElements": { - "unsuccessful": [ - ] - }, - "sourceIPAddress": "...", - "userAgent": "...", - "userIdentity": { - "accessKeyId": "...", - "accountId": "12345", - "arn": "...", - "invokedBy": "...", - "principalId": "12345", - "sessionContext": { - "attributes": { - "creationDate": "...", - "mfaAuthenticated": "true" - } - }, - "type": "..." + "responseElements": { + "unsuccessful": [] + }, + "sourceIPAddress": "...", + "userAgent": "...", + "userIdentity": { + "accessKeyId": "...", + "accountId": "12345", + "arn": "...", + "invokedBy": "...", + "principalId": "12345", + "sessionContext": { + "attributes": { + "creationDate": "...", + "mfaAuthenticated": "true" } + }, + "type": "..." + } + } + ] + }, + "description": "Deleting AWS network flow logs (DeleteFlowLogs) will create an alert.", + "log": "cloudtrail:events", + "service": "s3", + "source": "prefix.cluster.sample.bucket", + "trigger_rules": [ + "cloudtrail_critical_api_calls" + ] + }, + { + "data": { + "Records": [ + { + "awsRegion": "us-west-2", + "eventID": "123aaac1-123d-456a-1k29a4dd2kea", + "eventName": "DescribeFlowLogs", + "eventSource": "ec2.amazonaws.com", + "eventTime": "2017-01-01T00:20:50Z", + "eventType": "AwsApiCall", + "eventVersion": "1.05", + "recipientAccountId": "123456789123", + "requestID": "...", + "requestParameters": { + "flowLogId": [ + "..." + ] }, - "description": "Describing AWS network flog logs will not create an alert.", - "log": "cloudtrail:events", - "service": "s3", - "source": "prefix.cluster.sample.bucket", - "trigger_rules": [] - } - ] -} + "responseElements": { + "unsuccessful": [] + }, + "sourceIPAddress": "...", + "userAgent": "...", + "userIdentity": { + "accessKeyId": "...", + "accountId": "12345", + "arn": "...", + "invokedBy": "...", + "principalId": "12345", + "sessionContext": { + "attributes": { + "creationDate": "...", + "mfaAuthenticated": "true" + } + }, + "type": "..." + } + } + ] + }, + "description": "Describing AWS network flog logs will not create an alert.", + "log": "cloudtrail:events", + "service": "s3", + "source": "prefix.cluster.sample.bucket", + "trigger_rules": [] + } + ] +} \ No newline at end of file diff --git a/tests/integration/rules/cloudtrail/cloudtrail_put_object_acl.json b/tests/integration/rules/cloudtrail/cloudtrail_put_object_acl.json index 98f20fc14..705bef967 100644 --- a/tests/integration/rules/cloudtrail/cloudtrail_put_object_acl.json +++ b/tests/integration/rules/cloudtrail/cloudtrail_put_object_acl.json @@ -1,248 +1,266 @@ { - "records": [ - { - "data": { - "additionalEventData": { - "x-amz-id-2": "..." - }, - "awsRegion": "...", - "eventID": "...", - "eventName": "PutObject", - "eventSource": "...", - "eventTime": "...", - "eventType": "AwsApiCall", - "eventVersion": "...", - "readOnly": false, - "recipientAccountId": "12345", - "requestID": "...", - "requestParameters": { - "X-Amz-Algorithm": "...", - "X-Amz-Date": "...", - "X-Amz-Expires": "12345", - "X-Amz-SignedHeaders": "...", - "accessControlList": { - "x-amz-grant-read": "uri=\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\", id=\"...\"", - "x-amz-grant-read-acp": "uri=\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\", id=\"...\"", - "x-amz-grant-write": "uri=\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\", id=\"...\"", - "x-amz-grant-write-acp": "uri=\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\", id=\"...\"" - }, - "bucketName": "...", - "key": "...", - "x-amz-storage-class": "..." - }, - "resources": [ - { - "ARN": "...", - "type": "..." - }, - { - "ARN": "...", - "accountId": "12345", - "type": "..." - } - ], - "responseElements": { - }, - "sourceIPAddress": "...", - "userAgent": "...", - "userIdentity": { - "accountId": "12345", - "arn": "...", - "principalId": "12345", - "sessionContext": { - "attributes": { - "creationDate": "...", - "mfaAuthenticated": "false" - } - }, - "type": "..." - } + "records": [ + { + "data": { + "Records": [ + { + "additionalEventData": { + "x-amz-id-2": "..." + }, + "awsRegion": "...", + "eventID": "...", + "eventName": "PutObject", + "eventSource": "...", + "eventTime": "...", + "eventType": "AwsApiCall", + "eventVersion": "...", + "readOnly": false, + "recipientAccountId": "12345", + "requestID": "...", + "requestParameters": { + "X-Amz-Algorithm": "...", + "X-Amz-Date": "...", + "X-Amz-Expires": "12345", + "X-Amz-SignedHeaders": "...", + "accessControlList": { + "x-amz-grant-read": "uri=\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\", id=\"...\"", + "x-amz-grant-read-acp": "uri=\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\", id=\"...\"", + "x-amz-grant-write": "uri=\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\", id=\"...\"", + "x-amz-grant-write-acp": "uri=\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\", id=\"...\"" + }, + "bucketName": "...", + "key": "...", + "x-amz-storage-class": "..." }, - "description": "Storing an S3 object with an `AuthenticatedUsers` permission will create an alert.", - "log": "cloudtrail:events", - "service": "s3", - "source": "prefix.cluster.sample.bucket", - "trigger_rules": ["cloudtrail_put_object_acl"] - }, - { - "data": { - "additionalEventData": { - "x-amz-id-2": "..." - }, - "awsRegion": "...", - "eventID": "...", - "eventName": "PutObject", - "eventSource": "...", - "eventTime": "...", - "eventType": "AwsApiCall", - "eventVersion": "...", - "readOnly": false, - "recipientAccountId": "12345", - "requestID": "...", - "requestParameters": { - "X-Amz-Algorithm": "...", - "X-Amz-Date": "...", - "X-Amz-Expires": "12345", - "X-Amz-SignedHeaders": "...", - "accessControlList": { - "x-amz-grant-read": "uri=\"http://acs.amazonaws.com/groups/global/AllUsers\", id=\"...\"" - }, - "bucketName": "...", - "key": "...", - "x-amz-storage-class": "..." - }, - "resources": [ - { - "ARN": "...", - "type": "..." - }, - { - "ARN": "...", - "accountId": "12345", - "type": "..." - } - ], - "responseElements": { - }, - "sourceIPAddress": "...", - "userAgent": "...", - "userIdentity": { - "accountId": "12345", - "arn": "...", - "principalId": "12345", - "sessionContext": { - "attributes": { - "creationDate": "...", - "mfaAuthenticated": "false" - } - }, - "type": "..." + "resources": [ + { + "ARN": "...", + "type": "..." + }, + { + "ARN": "...", + "accountId": "12345", + "type": "..." + } + ], + "responseElements": {}, + "sourceIPAddress": "...", + "userAgent": "...", + "userIdentity": { + "accountId": "12345", + "arn": "...", + "principalId": "12345", + "sessionContext": { + "attributes": { + "creationDate": "...", + "mfaAuthenticated": "false" } + }, + "type": "..." + } + } + ] + }, + "description": "Storing an S3 object with an `AuthenticatedUsers` permission will create an alert.", + "log": "cloudtrail:events", + "service": "s3", + "source": "prefix.cluster.sample.bucket", + "trigger_rules": [ + "cloudtrail_put_object_acl" + ] + }, + { + "data": { + "Records": [ + { + "additionalEventData": { + "x-amz-id-2": "..." + }, + "awsRegion": "...", + "eventID": "...", + "eventName": "PutObject", + "eventSource": "...", + "eventTime": "...", + "eventType": "AwsApiCall", + "eventVersion": "...", + "readOnly": false, + "recipientAccountId": "12345", + "requestID": "...", + "requestParameters": { + "X-Amz-Algorithm": "...", + "X-Amz-Date": "...", + "X-Amz-Expires": "12345", + "X-Amz-SignedHeaders": "...", + "accessControlList": { + "x-amz-grant-read": "uri=\"http://acs.amazonaws.com/groups/global/AllUsers\", id=\"...\"" + }, + "bucketName": "...", + "key": "...", + "x-amz-storage-class": "..." }, - "description": "Storing an S3 object with an `AllUsers` permission will create an alert.", - "log": "cloudtrail:events", - "service": "s3", - "source": "prefix.cluster.sample.bucket", - "trigger_rules": ["cloudtrail_put_object_acl"] - }, - { - "data": { - "additionalEventData": { - "x-amz-id-2": "..." - }, - "awsRegion": "...", - "eventID": "...", - "eventName": "PutObject", - "eventSource": "...", - "eventTime": "...", - "eventType": "AwsApiCall", - "eventVersion": "...", - "readOnly": false, - "recipientAccountId": "12345", - "requestID": "...", - "requestParameters": { - "X-Amz-Algorithm": "...", - "X-Amz-Date": "...", - "X-Amz-Expires": "12345", - "X-Amz-SignedHeaders": "...", - "accessControlList": { - "x-amz-grant-write-acp": "uri=\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\", uri=\"http://acs.amazonaws.com/groups/global/AllUsers\", id=\"...\"" - }, - "bucketName": "...", - "key": "...", - "x-amz-storage-class": "..." - }, - "resources": [ - { - "ARN": "...", - "type": "..." - }, - { - "ARN": "...", - "accountId": "12345", - "type": "..." - } - ], - "responseElements": { - }, - "sourceIPAddress": "...", - "userAgent": "...", - "userIdentity": { - "accountId": "12345", - "arn": "...", - "principalId": "12345", - "sessionContext": { - "attributes": { - "creationDate": "...", - "mfaAuthenticated": "false" - } - }, - "type": "..." + "resources": [ + { + "ARN": "...", + "type": "..." + }, + { + "ARN": "...", + "accountId": "12345", + "type": "..." + } + ], + "responseElements": {}, + "sourceIPAddress": "...", + "userAgent": "...", + "userIdentity": { + "accountId": "12345", + "arn": "...", + "principalId": "12345", + "sessionContext": { + "attributes": { + "creationDate": "...", + "mfaAuthenticated": "false" } + }, + "type": "..." + } + } + ] + }, + "description": "Storing an S3 object with an `AllUsers` permission will create an alert.", + "log": "cloudtrail:events", + "service": "s3", + "source": "prefix.cluster.sample.bucket", + "trigger_rules": [ + "cloudtrail_put_object_acl" + ] + }, + { + "data": { + "Records": [ + { + "additionalEventData": { + "x-amz-id-2": "..." }, - "description": "Storing an S3 object with an `AllUsers` and `AuthenticatedUsers` permission will create an alert.", - "log": "cloudtrail:events", - "service": "s3", - "source": "prefix.cluster.sample.bucket", - "trigger_rules": ["cloudtrail_put_object_acl"] - }, - { - "data": { - "additionalEventData": { - "x-amz-id-2": "..." - }, - "awsRegion": "...", - "eventID": "...", - "eventName": "PutObject", - "eventSource": "...", - "eventTime": "...", - "eventType": "AwsApiCall", - "eventVersion": "...", - "readOnly": false, - "recipientAccountId": "12345", - "requestID": "...", - "requestParameters": { - "X-Amz-Algorithm": "...", - "X-Amz-Date": "...", - "X-Amz-Expires": "123", - "X-Amz-SignedHeaders": "...", - "bucketName": "...", - "key": "...", - "x-amz-storage-class": "..." - }, - "resources": [ - { - "ARN": "...", - "type": "..." - }, - { - "ARN": "...", - "accountId": "12345", - "type": "..." - } - ], - "responseElements": { - }, - "sourceIPAddress": "...", - "userAgent": "...", - "userIdentity": { - "accountId": "12345", - "arn": "...", - "principalId": "12345", - "sessionContext": { - "attributes": { - "creationDate": "...", - "mfaAuthenticated": "true" - } - }, - "type": "..." + "awsRegion": "...", + "eventID": "...", + "eventName": "PutObject", + "eventSource": "...", + "eventTime": "...", + "eventType": "AwsApiCall", + "eventVersion": "...", + "readOnly": false, + "recipientAccountId": "12345", + "requestID": "...", + "requestParameters": { + "X-Amz-Algorithm": "...", + "X-Amz-Date": "...", + "X-Amz-Expires": "12345", + "X-Amz-SignedHeaders": "...", + "accessControlList": { + "x-amz-grant-write-acp": "uri=\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\", uri=\"http://acs.amazonaws.com/groups/global/AllUsers\", id=\"...\"" + }, + "bucketName": "...", + "key": "...", + "x-amz-storage-class": "..." + }, + "resources": [ + { + "ARN": "...", + "type": "..." + }, + { + "ARN": "...", + "accountId": "12345", + "type": "..." + } + ], + "responseElements": {}, + "sourceIPAddress": "...", + "userAgent": "...", + "userIdentity": { + "accountId": "12345", + "arn": "...", + "principalId": "12345", + "sessionContext": { + "attributes": { + "creationDate": "...", + "mfaAuthenticated": "false" } + }, + "type": "..." + } + } + ] + }, + "description": "Storing an S3 object with an `AllUsers` and `AuthenticatedUsers` permission will create an alert.", + "log": "cloudtrail:events", + "service": "s3", + "source": "prefix.cluster.sample.bucket", + "trigger_rules": [ + "cloudtrail_put_object_acl" + ] + }, + { + "data": { + "Records": [ + { + "additionalEventData": { + "x-amz-id-2": "..." + }, + "awsRegion": "...", + "eventID": "...", + "eventName": "PutObject", + "eventSource": "...", + "eventTime": "...", + "eventType": "AwsApiCall", + "eventVersion": "...", + "readOnly": false, + "recipientAccountId": "12345", + "requestID": "...", + "requestParameters": { + "X-Amz-Algorithm": "...", + "X-Amz-Date": "...", + "X-Amz-Expires": "123", + "X-Amz-SignedHeaders": "...", + "bucketName": "...", + "key": "...", + "x-amz-storage-class": "..." }, - "description": "Storing an S3 object without an `AllUsers` or `AuthenticatedUsers` permission will not create an alert.", - "log": "cloudtrail:events", - "service": "s3", - "source": "prefix.cluster.sample.bucket", - "trigger_rules": [] - } - ] -} + "resources": [ + { + "ARN": "...", + "type": "..." + }, + { + "ARN": "...", + "accountId": "12345", + "type": "..." + } + ], + "responseElements": {}, + "sourceIPAddress": "...", + "userAgent": "...", + "userIdentity": { + "accountId": "12345", + "arn": "...", + "principalId": "12345", + "sessionContext": { + "attributes": { + "creationDate": "...", + "mfaAuthenticated": "true" + } + }, + "type": "..." + } + } + ] + }, + "description": "Storing an S3 object without an `AllUsers` or `AuthenticatedUsers` permission will not create an alert.", + "log": "cloudtrail:events", + "service": "s3", + "source": "prefix.cluster.sample.bucket", + "trigger_rules": [] + } + ] +} \ No newline at end of file