Isai
Isai
@terrancedejesus I can't find the emulation details in the Meta you linked. What type of behavior are you hoping to capture here for IAM? From my research into STS abuse...
Thank you for the additional details! > You can make certain IAM calls with temporary tokens from GetSessionToken as long as MFA context exists in the token itself. Typically you...
@richlv Do you have any sample data you could share showing this?
Perhaps some of the criteria causing the alerts associated with that identity, I'm looking for something that could be excluded globally as I don't have any telemetry data related to...
Thank you, I may not be able to outright exclude that network but there may be some combination of network+event.provider+user agent values that can safely be excluded, I'll do some...
@richlv Thank you for your feedback, it's hard to exclude that network and those user agents globally. I think your local exclusions are the best option. Globally, I think the...
A rule tuning has been created to address the noise level for this rule. I was not able to explicitly exclude any additional networks, local exclusions are best for this...
this will be addressed as a part of AWS rule tuning effort
since you're doing a mass update on ESQL rule keep fields, could you also add `data_stream.namespace` since this field has been requested by customer for ESQL rules.