elastalert-lambda/example_rules/AWS_RootAccount.yaml

import: audit.incl

filter:
  - term:
      aws.cloudtrail.userIdentity.type: Root
  - query:
      bool:
        must_not:
          exists:
            field: aws.cloudtrail.userIdentity.invokedBy
  - query:
      bool:
        must_not:
          term:
            aws.cloudtrail.eventType: AwsServiceEvent
realert:
  minutes: 0
type: any

alert_subject: "ElastAlert: AWS Root user activity"
alert_text_type: alert_text_only
alert_text: "AWS Root user activity in account {0} / {1} from {2}"
alert_text_args:
  - aws.cloudtrail.userIdentity.accountId
  - aws.cloudtrail.awsRegion
  - aws.cloudtrail.sourceIPAddress