27 lines
618 B
YAML
27 lines
618 B
YAML
import: audit.incl
|
|
|
|
filter:
|
|
- term:
|
|
aws.cloudtrail.userIdentity.type: Root
|
|
- query:
|
|
bool:
|
|
must_not:
|
|
exists:
|
|
field: aws.cloudtrail.userIdentity.invokedBy
|
|
- query:
|
|
bool:
|
|
must_not:
|
|
term:
|
|
aws.cloudtrail.eventType: AwsServiceEvent
|
|
realert:
|
|
minutes: 0
|
|
type: any
|
|
|
|
alert_subject: "ElastAlert: AWS Root user activity"
|
|
alert_text_type: alert_text_only
|
|
alert_text: "AWS Root user activity in account {0} / {1} from {2}"
|
|
alert_text_args:
|
|
- aws.cloudtrail.userIdentity.accountId
|
|
- aws.cloudtrail.awsRegion
|
|
- aws.cloudtrail.sourceIPAddress
|