27 lines
618 B
YAML
27 lines
618 B
YAML
|
import: audit.incl
|
||
|
|
||
|
filter:
|
||
|
- term:
|
||
|
aws.cloudtrail.userIdentity.type: Root
|
||
|
- query:
|
||
|
bool:
|
||
|
must_not:
|
||
|
exists:
|
||
|
field: aws.cloudtrail.userIdentity.invokedBy
|
||
|
- query:
|
||
|
bool:
|
||
|
must_not:
|
||
|
term:
|
||
|
aws.cloudtrail.eventType: AwsServiceEvent
|
||
|
realert:
|
||
|
minutes: 0
|
||
|
type: any
|
||
|
|
||
|
alert_subject: "ElastAlert: AWS Root user activity"
|
||
|
alert_text_type: alert_text_only
|
||
|
alert_text: "AWS Root user activity in account {0} / {1} from {2}"
|
||
|
alert_text_args:
|
||
|
- aws.cloudtrail.userIdentity.accountId
|
||
|
- aws.cloudtrail.awsRegion
|
||
|
- aws.cloudtrail.sourceIPAddress
|