Terrance DeJesus
Terrance DeJesus
Hey @imays11, thanks for taking a look! > What type of behavior are you hoping to capture here for IAM? The goal is to ultimately identify IAM API calls with...
@imays11 > From your image it looks like really only "Read" type operations and if that's the case you can probably reduce the risk score. I agree, reduced to low....
We have confirmed that with temporary creds you can do CRUD-based IAM API operations on existing assets in AWS. Thanks again @imays11 for the extra attention here!
@Samirbous - Pushed a commit with a few changes - Small changes to rule name, investigation guide, labels, etc. for consistency - Adjusted the O365 query logic to include user...
cc @DefSecSentinel
Closing this issue as it is currently out of scope for TRADE's cloud threat research.
🚀 Note - Check all fields in queries as `okta.target_app.display_name` is not a native field in the Okta system logs integration OOTB.
Closing this issue as it is currently out of scope for TRADE's cloud threat research.
@jvalente-salemstate - fixed it for ya. Just updated to today's date. Once done, you should be good to merge!
@jvalente-salemstate - Just need to update the `updated_date` in the rule metadata. Then your good to merge I believe!