From 4b07f5c9205ce89f498eb08e31bb448df149effe Mon Sep 17 00:00:00 2001 From: Kostas Papageorgiou Date: Wed, 16 Dec 2020 12:36:58 +0200 Subject: [PATCH] Extracting ARNs from policy conditions (#2286) --- .../log_processor/parsers/awslogs/extractor_test.go | 1 + .../log_processor/parsers/awslogs/indicators.go | 2 +- .../log_processor/parsers/awslogs/indicators_test.go | 9 +++++++++ 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/internal/log_analysis/log_processor/parsers/awslogs/extractor_test.go b/internal/log_analysis/log_processor/parsers/awslogs/extractor_test.go index c10a9a75ff..aec7870e56 100644 --- a/internal/log_analysis/log_processor/parsers/awslogs/extractor_test.go +++ b/internal/log_analysis/log_processor/parsers/awslogs/extractor_test.go @@ -37,6 +37,7 @@ func TestAWSExtractor(t *testing.T) { "arn:aws:cloudtrail:us-west-2:888888888888:trail/panther-lab-cloudtrail", "arn:aws:iam::123456789012:instance-profile/EC2Dev", "arn:aws:ec2:region:111122223333:instance/i-0072230f74b3a798e", + "arn:aws:iam::123456789012:instance-profile/ArnLike", "arn:aws:ec2:region:111122223333:instance/", ) expectedEvent.AppendAnyAWSInstanceIds("i-081de1d7604b11e4a", "i-0072230f74b3a798e" /* from ARN */) diff --git a/internal/log_analysis/log_processor/parsers/awslogs/indicators.go b/internal/log_analysis/log_processor/parsers/awslogs/indicators.go index 8ec061ae98..e90239662b 100644 --- a/internal/log_analysis/log_processor/parsers/awslogs/indicators.go +++ b/internal/log_analysis/log_processor/parsers/awslogs/indicators.go @@ -80,7 +80,7 @@ func extractIndicators(w pantherlog.ValueWriter, iter *jsoniter.Iterator, key st case jsoniter.StringValue: value := iter.ReadString() switch key { - case "arn", "ARN": + case "arn", "ARN", "aws:SourceArn": pantherlog.ScanARN(w, value) case "instanceId", "instance-id": pantherlog.ScanAWSInstanceID(w, value) diff --git a/internal/log_analysis/log_processor/parsers/awslogs/indicators_test.go b/internal/log_analysis/log_processor/parsers/awslogs/indicators_test.go index 2876e8412d..3d75c42308 100644 --- a/internal/log_analysis/log_processor/parsers/awslogs/indicators_test.go +++ b/internal/log_analysis/log_processor/parsers/awslogs/indicators_test.go @@ -35,6 +35,7 @@ func TestExtractRawMessageIndicators(t *testing.T) { "arn:aws:cloudtrail:us-west-2:888888888888:trail/panther-lab-cloudtrail", "arn:aws:ec2:region:111122223333:instance/", "arn:aws:ec2:region:111122223333:instance/i-0072230f74b3a798e", + "arn:aws:iam::123456789012:instance-profile/ArnLike", "arn:aws:iam::123456789012:instance-profile/EC2Dev", }, values.Get(pantherlog.FieldAWSARN)) assert.Equal([]string{ @@ -77,6 +78,14 @@ const awsRawMessageSample = ` "availabilityZone":"us-east-1b", "imageDescription":"Amazon Linux 2 AMI 2.0.20191217.0 x86_64 HVM gp2", "instanceId":"i-081de1d7604b11e4a","instanceType":"t2.micro", + "Policy": { + "Version": "2012-10-17", + "Statement": [ + {"Condition": { + "ArnLike": {"aws:SourceArn": "arn:aws:iam::123456789012:instance-profile/ArnLike"} + }} + ] + }, "launchTime":"2020-01-13T20:22:32Z", "productCodes":[], "iamInstanceProfile":{