airbnb/streamalert

Add `PutEventSelectors` to cloudtrail_critical_api_calls.py

KevinHock opened this issue 4 years ago · 1 comments

KevinHock commented 4 years ago

Description

See https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/cloudtrail_guardduty_bypass for why cloudtrail:PutEventSelectors is important.

Desired Change

Presumably, add PutEventSelectors to the set in cloudtrail_critical_api_calls.py https://github.com/airbnb/streamalert/blob/master/rules/community/cloudwatch_events/cloudtrail_critical_api_calls.py#L12-L15

ryandeivert commented 3 years ago

address in #1303