Skip to content

Commit

Permalink
Extracting ARNs from policy conditions (#2286)
Browse files Browse the repository at this point in the history
  • Loading branch information
Kostas Papageorgiou authored Dec 16, 2020
1 parent 9eda885 commit 4b07f5c
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ func TestAWSExtractor(t *testing.T) {
"arn:aws:cloudtrail:us-west-2:888888888888:trail/panther-lab-cloudtrail",
"arn:aws:iam::123456789012:instance-profile/EC2Dev",
"arn:aws:ec2:region:111122223333:instance/i-0072230f74b3a798e",
"arn:aws:iam::123456789012:instance-profile/ArnLike",
"arn:aws:ec2:region:111122223333:instance/",
)
expectedEvent.AppendAnyAWSInstanceIds("i-081de1d7604b11e4a", "i-0072230f74b3a798e" /* from ARN */)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@ func extractIndicators(w pantherlog.ValueWriter, iter *jsoniter.Iterator, key st
case jsoniter.StringValue:
value := iter.ReadString()
switch key {
case "arn", "ARN":
case "arn", "ARN", "aws:SourceArn":
pantherlog.ScanARN(w, value)
case "instanceId", "instance-id":
pantherlog.ScanAWSInstanceID(w, value)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ func TestExtractRawMessageIndicators(t *testing.T) {
"arn:aws:cloudtrail:us-west-2:888888888888:trail/panther-lab-cloudtrail",
"arn:aws:ec2:region:111122223333:instance/",
"arn:aws:ec2:region:111122223333:instance/i-0072230f74b3a798e",
"arn:aws:iam::123456789012:instance-profile/ArnLike",
"arn:aws:iam::123456789012:instance-profile/EC2Dev",
}, values.Get(pantherlog.FieldAWSARN))
assert.Equal([]string{
Expand Down Expand Up @@ -77,6 +78,14 @@ const awsRawMessageSample = `
"availabilityZone":"us-east-1b",
"imageDescription":"Amazon Linux 2 AMI 2.0.20191217.0 x86_64 HVM gp2",
"instanceId":"i-081de1d7604b11e4a","instanceType":"t2.micro",
"Policy": {
"Version": "2012-10-17",
"Statement": [
{"Condition": {
"ArnLike": {"aws:SourceArn": "arn:aws:iam::123456789012:instance-profile/ArnLike"}
}}
]
},
"launchTime":"2020-01-13T20:22:32Z",
"productCodes":[],
"iamInstanceProfile":{
Expand Down

0 comments on commit 4b07f5c

Please sign in to comment.