You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For the rule AWS.CloudTrail.SecurityConfigurationChange the final test case "Security Configuration Changed - Allowlisted User" always passes, even if the example user is removed from the ALLOW_LIST as the event is not in the SECURITY_CONFIG_ACTIONS list.
I found this while debugging our internal clone of these rules.
For the rule
AWS.CloudTrail.SecurityConfigurationChangethe final test case "Security Configuration Changed - Allowlisted User" always passes, even if the example user is removed from the ALLOW_LIST as the event is not in the SECURITY_CONFIG_ACTIONS list.I found this while debugging our internal clone of these rules.
Test case:
panther-analysis/aws_cloudtrail_rules/aws_security_configuration_change.yml
Line 210 in 3b552f5
SECURITY_CONFIG_ACTIONS:
panther-analysis/aws_cloudtrail_rules/aws_security_configuration_change.py
Line 6 in 3b552f5
I'm not sure how best to fix this without inadvertently adding a blindspot for any users named ExampleUser, but thought you should be aware of it.
The text was updated successfully, but these errors were encountered: