From 349dd720526dc38a2c4fc66e9a7c2cfde8becfa2 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Tue, 17 Dec 2024 15:50:22 -0500 Subject: [PATCH] adjusted query --- .../aws/collection_s3_unauthenticated_bucket_listing.toml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/integrations/aws/collection_s3_unauthenticated_bucket_listing.toml b/rules/integrations/aws/collection_s3_unauthenticated_bucket_listing.toml index 72298574511..ed4b2f4e15b 100644 --- a/rules/integrations/aws/collection_s3_unauthenticated_bucket_listing.toml +++ b/rules/integrations/aws/collection_s3_unauthenticated_bucket_listing.toml @@ -102,8 +102,10 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset:"aws.cloudtrail" - and event.provider:"s3.amazonaws.com" and event.action:"ListObjects" +event.dataset: "aws.cloudtrail" + and event.provider: "s3.amazonaws.com" + and event.action: "ListObjects" + and event.outcome: "success" and aws.cloudtrail.user_identity.type: ("AWSAccount" or "Unknown") and cloud.account.id: "anonymous" '''