feat: add support correlation feature #97

fukusuket · 2025-07-26T15:53:06Z

What Changed

Closed Add support for correlation rules #95
Added support for sigma correlation (event_count, value_count, temporal, temporal_order)
- https://github.com/SigmaHQ/sigma-specification/blob/main/specification/sigma-correlation-rules-specification.md
sigma-rust ref branch feat: add Sigma v2 Correlation feature jopohl/sigma-rust#31
refactor: Separate the writer logic into aws_detect_writer.rs

Limitation

Only supports correlation rules that reference rules within the same file.
Correlation rules that reference rules in other files are planned to be supported in a separate PR.

Copilot

Pull Request Overview

This PR adds support for correlation features by implementing a new correlation engine that can process and match events across multiple rules. The implementation introduces a new correlation rule loading system and separates output writing functionality into a dedicated module.

Adds correlation rule loading and processing capabilities
Refactors output writing logic into a separate module for better maintainability
Updates function signatures to pass references instead of values for improved performance

Reviewed Changes

Copilot reviewed 8 out of 9 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
src/core/scan.rs	Refactors scanning functions to support correlation processing and updates parameter handling
src/core/rules.rs	Adds correlation rule loading functionality with comprehensive tests
src/cmd/aws_summary.rs	Updates function call to pass reference parameter
src/cmd/aws_metrics.rs	Updates function call to pass reference parameter
src/cmd/aws_detect_writer.rs	New module containing all output writing functionality extracted from aws_detect.rs
src/cmd/aws_detect.rs	Refactored to use new writer module and adds correlation processing logic
src/cmd.rs	Adds new aws_detect_writer module
Cargo.toml	Updates sigma-rust dependency to specific git revision and adds tempfile for testing

src/core/rules.rs

src/cmd/aws_detect_writer.rs

src/core/scan.rs

fukusuket · 2025-07-26T16:10:07Z

event_count

title: Correlation Test
id: 49d15187-4203-4e11-8acd-8736f25b6609
status: test
author: TEST
correlation:
    type: event_count
    rules:
        - Console Login With MFA
    group-by:
        - sourceIPAddress
    timespan: 3d
    condition:
        gte: 3
        field: sourceIPAddress
    generate: true 
level: high
---
title: Console Login With MFA
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: signin.amazonaws.com
        eventName: 'ConsoleLogin'
        additionalEventData.MFAUsed: 'Yes'
    condition: selection
level: informational

./suzaku aws-ct-timeline -d ../data/suzaku-sample-data-main -o timeline -t 5 -r test.yml -q -T
Start time: 2025/07/27 01:08
Version: 0.3.0-dev (Dev Build)

Total detection rules: 0
Total correlation rules: 1
Total log files: 3980
Total file size: 251.1 MiB

Scanning now. Please wait.

[00:00:10] 3,980 / 3,980   [========================================] 100%

Scanning finished.

Rule Authors:
╭──────────╮
│ TEST (1) │
╰──────────╯

Results Summary:
Events with hits / Total events: 10 / 1,972,588 (Data reduction: 1,972,578 events (100.00%))
Total | Unique critical detections: 0 (0%) | 0 (0%)
Total | Unique high detections: 3 (30%) | 1 (10%)
Total | Unique medium detections: 0 (0%) | 0 (0%)
Total | Unique low detections: 0 (0%) | 0 (0%)
Total | Unique informational detections: 10 (100%) | 1 (10%)

First event time: 2017-02-26 17:48:22 UTC
Last event time: 2018-07-07 15:29:55 UTC

Dates with most total detections:
critical: n/a, high: 2018-07-07 (1), medium: n/a, low: n/a, informational: 2017-02-28 (2)
╭────────────────────────────────────────────────────╮
│ Top critical alerts:          Top high alerts:     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                           Correlation Test (3) │
│ n/a                           n/a                  │
│ n/a                           n/a                  │
│ n/a                           n/a                  │
│ n/a                           n/a                  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top medium alerts:            Top low alerts:      │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                           n/a                  │
│ n/a                           n/a                  │
│ n/a                           n/a                  │
│ n/a                           n/a                  │
│ n/a                           n/a                  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top informational alerts:                          │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Console Login With MFA (10)                        │
│ n/a                                                │
│ n/a                                                │
│ n/a                                                │
│ n/a                                                │
╰─────────────────────────────╌──────────────────────╯

Results saved: timeline.csv (4.8 KiB) and timeline.jsonl (7.7 KiB)
Elapsed time: 00:00:10

Timestamp,RuleTitle,RuleAuthor,Level,EventName,EventSource,AWS-Region,SrcIP,UserAgent,UserName,UserType,UserAccountID,UserARN,UserPrincipalID,UserAccessKeyID,EventID,RuleID
2018-07-06 04:14:52,Console Login With MFA,-,informational,ConsoleLogin,signin.amazonaws.com,us-east-1,250.251.253.3,"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36",-,Root,811596193553,arn:aws:iam::811596193553:root,811596193553,-,7bb0fb71-4a86-43f6-816c-3ae44fbcc550,-
2018-07-06 22:30:23,Console Login With MFA,-,informational,ConsoleLogin,signin.amazonaws.com,us-east-1,250.251.253.3,"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36",-,Root,811596193553,arn:aws:iam::811596193553:root,811596193553,-,f74458-4618-4a68-a294-e410868de240e,-
2018-07-07 15:29:55,Console Login With MFA,-,informational,ConsoleLogin,signin.amazonaws.com,us-east-1,250.251.253.3,"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36",-,Root,811596193553,arn:aws:iam::811596193553:root,811596193553,-,08606-5098-4a93-91e4-f8cd38a261d3,-
2018-07-07 15:29:55,Correlation Test,TEST,high,ConsoleLogin,signin.amazonaws.com,us-east-1,250.251.253.3,"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36",-,Root,811596193553,arn:aws:iam::811596193553:root,811596193553,-,08606-5098-4a93-91e4-f8cd38a261d3 ¦ 7bb0fb71-4a86-43f6-816c-3ae44fbcc550 ¦ f74458-4618-4a68-a294-e410868de240e,49d15187-4203-4e11-8acd-8736f25b6609
2017-02-26 17:48:22,Console Login With MFA,-,informational,ConsoleLogin,signin.amazonaws.com,us-east-1,255.253.125.115,"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36",-,Root,811596193553,arn:aws:iam::811596193553:root,811596193553,-,323932f1-4180-482b-a76a-32d29918aff7,-
2017-02-27 13:07:23,Console Login With MFA,-,informational,ConsoleLogin,signin.amazonaws.com,us-east-1,255.253.125.115,"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36",-,Root,811596193553,arn:aws:iam::811596193553:root,811596193553,-,7511fbbb-00db-4d0e-8ab6-29ae9a18875a,-
2017-02-28 01:24:10,Console Login With MFA,-,informational,ConsoleLogin,signin.amazonaws.com,us-east-1,255.253.125.115,"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36",-,Root,811596193553,arn:aws:iam::811596193553:root,811596193553,-,5738d4e2-fa01-4945-8671-10cca81bb4bd,-
2017-02-28 17:35:07,Console Login With MFA,-,informational,ConsoleLogin,signin.amazonaws.com,us-east-1,255.253.125.115,"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36",-,Root,811596193553,arn:aws:iam::811596193553:root,811596193553,-,47acea95-b2d2-4ec6-80b1-ee4ef8e543080,-
2017-02-28 17:35:07,Correlation Test,TEST,high,ConsoleLogin,signin.amazonaws.com,us-east-1,255.253.125.115,"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36",-,Root,811596193553,arn:aws:iam::811596193553:root,811596193553,-,323932f1-4180-482b-a76a-32d29918aff7 ¦ 47acea95-b2d2-4ec6-80b1-ee4ef8e543080 ¦ 5738d4e2-fa01-4945-8671-10cca81bb4bd ¦ 7511fbbb-00db-4d0e-8ab6-29ae9a18875a,49d15187-4203-4e11-8acd-8736f25b6609
2017-03-02 00:06:14,Console Login With MFA,-,informational,ConsoleLogin,signin.amazonaws.com,us-east-1,255.253.125.115,"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36",-,Root,811596193553,arn:aws:iam::811596193553:root,811596193553,-,4aaf5e21-5763-4229-bf42-f1abef4d4e9c,-
2017-03-03 03:45:55,Console Login With MFA,-,informational,ConsoleLogin,signin.amazonaws.com,us-east-1,255.253.125.115,"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36",-,Root,811596193553,arn:aws:iam::811596193553:root,811596193553,-,9f110255-096d-4b36-821b-3ac4da08dc53,-
2017-03-03 22:26:05,Console Login With MFA,-,informational,ConsoleLogin,signin.amazonaws.com,us-east-1,255.253.125.115,"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36",-,Root,811596193553,arn:aws:iam::811596193553:root,811596193553,-,d3161cd2-d6a8-4a42-8fee-cd85db62811f,-
2017-03-03 22:26:05,Correlation Test,TEST,high,ConsoleLogin,signin.amazonaws.com,us-east-1,255.253.125.115,"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKitimeline.csv

fukusuket · 2025-07-26T16:16:50Z

@YamatoSecurity @hach1yon
Sorry for the long delay in implementation... I'd really appreciate it if you could review it when you have time🙏

fukusuket · 2025-07-28T04:12:54Z

value_count

title: Correlation value_count Test
id: 49d15187-4203-4e11-8acd-8736f25b66xx
status: test
author: TEST
correlation:
    type: value_count
    rules:
        - Console Login Without MFA
    group-by:
        - sourceIPAddress
    timespan: 3d
    condition:
        gte: 2
        field: sourceIPAddress
    generate: true 
level: high
---
title: Console Login Without MFA
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: signin.amazonaws.com
        eventName: 'ConsoleLogin'
        additionalEventData.MFAUsed: 'No'
    condition: selection
level: medium

./suzaku aws-ct-timeline -d ../data/suzaku-sample-data-main -q -o timeline.csv -r test.yml -C -T

Start time: 2025/07/28 13:12
Version: 0.3.0-dev (Dev Build)

Total detection rules: 0
Total correlation rules: 1
Total log files: 3980
Total file size: 251.1 MiB

Scanning now. Please wait.

[00:00:10] 3,980 / 3,980   [========================================] 100%

Scanning finished.

Rule Authors:
╭──────────╮
│ TEST (1) │
╰──────────╯

Results Summary:
Events with hits / Total events: 9 / 1,972,588 (Data reduction: 1,972,579 events (100.00%))
Total | Unique critical detections: 0 (0%) | 0 (0%)
Total | Unique high detections: 2 (22%) | 1 (11%)
Total | Unique medium detections: 9 (100%) | 1 (11%)
Total | Unique low detections: 0 (0%) | 0 (0%)
Total | Unique informational detections: 0 (0%) | 0 (0%)

First event time: 2017-05-16 23:05:01 UTC
Last event time: 2018-02-26 19:04:39 UTC

Dates with most total detections:
critical: n/a, high: 2018-02-26 (1), medium: 2018-02-26 (6), low: n/a, informational: n/a
╭──────────────────────────────────────────────────────────────────╮
│ Top critical alerts:            Top high alerts:                 │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                             Correlation value_count Test (2) │
│ n/a                             n/a                              │
│ n/a                             n/a                              │
│ n/a                             n/a                              │
│ n/a                             n/a                              │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top medium alerts:              Top low alerts:                  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Console Login Without MFA (9)   n/a                              │
│ n/a                             n/a                              │
│ n/a                             n/a                              │
│ n/a                             n/a                              │
│ n/a                             n/a                              │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top informational alerts:                                        │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                                                              │
│ n/a                                                              │
│ n/a                                                              │
│ n/a                                                              │
│ n/a                                                              │
╰───────────────────────────────╌──────────────────────────────────╯

Results saved: timeline.csv (4.2 KiB)
Elapsed time: 00:00:10

% cat timeline.csv
Timestamp,RuleTitle,RuleAuthor,Level,EventName,EventSource,AWS-Region,SrcIP,UserAgent,UserName,UserType,UserAccountID,UserARN,UserPrincipalID,UserAccessKeyID,EventID,RuleID
2017-05-16 23:05:01,Console Login Without MFA,-,medium,ConsoleLogin,signin.amazonaws.com,us-east-1,255.253.125.115,"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36",piper,IAMUser,811596193553,arn:aws:iam::811596193553:user/piper,AIDA7ZI0RCYCPBIR0OIC3,-,97ae0290-6b12-42c1-b091-72d486bbd7f3,-
2017-05-17 23:23:34,Console Login Without MFA,-,medium,ConsoleLogin,signin.amazonaws.com,us-east-1,8.120.255.102,"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36",HIDDEN_DUE_TO_SECURITY_REASONS,IAMUser,811596193553,-,-,,dfa44a56-a58e-4e49-84fd-9128ee48ce8c,-
2017-05-17 23:23:41,Console Login Without MFA,-,medium,ConsoleLogin,signin.amazonaws.com,us-east-1,8.120.255.102,"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36",HIDDEN_DUE_TO_SECURITY_REASONS,IAMUser,811596193553,-,-,,c6a77d6f-eb54-4e21-b64b-54d45e72d972,-
2017-05-17 23:23:41,Correlation value_count Test,TEST,high,ConsoleLogin,signin.amazonaws.com,us-east-1,255.253.125.115 ¦ 8.120.255.102,"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36",HIDDEN_DUE_TO_SECURITY_REASONS ¦ piper,IAMUser,811596193553,- ¦ arn:aws:iam::811596193553:user/piper,- ¦ AIDA7ZI0RCYCPBIR0OIC3, ¦ -,97ae0290-6b12-42c1-b091-72d486bbd7f3 ¦ c6a77d6f-eb54-4e21-b64b-54d45e72d972 ¦ dfa44a56-a58e-4e49-84fd-9128ee48ce8c,49d15187-4203-4e11-8acd-8736f25b66xx
2018-02-26 01:12:46,Console Login Without MFA,-,medium,ConsoleLogin,signin.amazonaws.com,us-east-1,231.17.3.165,"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0.3 Safari/604.5.6",HIDDEN_DUE_TO_SECURITY_REASONS,IAMUser,811596193553,-,-,,3daabae9-9a1c-4d6e-b2d9-78eb7d13730a,-
2018-02-26 18:45:36,Console Login Without MFA,-,medium,ConsoleLogin,signin.amazonaws.com,us-east-1,12.80.110.252,"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0.3 Safari/604.5.6",HIDDEN_DUE_TO_SECURITY_REASONS,IAMUser,811596193553,-,-,,fff18752-e41e-45cd-a4ee-989aac69d711,-
2018-02-26 18:45:51,Console Login Without MFA,-,medium,ConsoleLogin,signin.amazonaws.com,us-east-1,12.80.110.252,"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0.3 Safari/604.5.6",HIDDEN_DUE_TO_SECURITY_REASONS,IAMUser,811596193553,-,-,,7f87667-150f-4671-a4ba-f35977e1a953,-
2018-02-26 18:46:19,Console Login Without MFA,-,medium,ConsoleLogin,signin.amazonaws.com,us-east-1,12.80.110.252,"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0.3 Safari/604.5.6",HIDDEN_DUE_TO_SECURITY_REASONS,IAMUser,811596193553,-,-,,cd38e013-1ef9-493a-b096-5af22724bfef,-
2018-02-26 18:47:44,Console Login Without MFA,-,medium,ConsoleLogin,signin.amazonaws.com,us-east-1,12.80.110.252,"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0.3 Safari/604.5.6",HIDDEN_DUE_TO_SECURITY_REASONS,IAMUser,811596193553,-,-,,498b0d9d-3554-4501-bc6a-69c8ca8a8c63,-
2018-02-26 19:04:39,Console Login Without MFA,-,medium,ConsoleLogin,signin.amazonaws.com,us-east-1,12.80.110.252,"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0.3 Safari/604.5.6",HIDDEN_DUE_TO_SECURITY_REASONS,IAMUser,811596193553,-,-,,3847f6a1-9033-4fb0-bfe3-5d7321e60b42,-
2018-02-26 19:04:39,Correlation value_count Test,TEST,high,ConsoleLogin,signin.amazonaws.com,us-east-1,12.80.110.252 ¦ 231.17.3.165,"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0.3 Safari/604.5.6",HIDDEN_DUE_TO_SECURITY_REASONS,IAMUser,811596193553,-,-,,3847f6a1-9033-4fb0-bfe3-5d7321e60b42 ¦ 3daabae9-9a1c-4d6e-b2d9-78eb7d13730a ¦ 498b0d9d-3554-4501-bc6a-69c8ca8a8c63 ¦ 7f87667-150f-4671-a4ba-f35977e1a953 ¦ cd38e013-1ef9-493a-b096-5af22724bfef ¦ fff18752-e41e-45cd-a4ee-989aac69d711,49d15187-4203-4e11-8acd-8736f25b66xx

fukusuket · 2025-07-28T05:34:11Z

temporal

title: Correlation temporal Test
id: 49d15187-4203-4e11-8acd-8736f25b66xx
status: test
author: TEST
correlation:
    type: temporal
    rules:
        - CloudTrail Log Settings Modified
        - Console Login Without MFA
        - Role Enumeration
    timespan: 3d
    generate: true
level: high
---
title: CloudTrail Log Settings Modified
author: Zach Mathis (@yamatosecurity)
date: 2025-04-23
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'cloudtrail.amazonaws.com'
        eventName: 'UpdateTrail'
    filter:
        errorCode: 'AccessDenied'
    condition: selection and not filter
level: high
---
title: Console Login Without MFA
author: Zach Mathis (@yamatosecurity)
date: 2025-04-13
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: signin.amazonaws.com
        eventName: 'ConsoleLogin'
        additionalEventData.MFAUsed: 'No'
    condition: selection
level: medium
---
title: Role Enumeration 
author: Zach Mathis (@yamatosecurity)
date: 2025-04-24
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'iam.amazonaws.com'
        eventName: 'ListRoles'
    condition: selection
falsepositives:
level: low

% ./suzaku aws-ct-timeline -d ../data/suzaku-sample-data-main -q -o timeline.csv -C -r test2.yml -T
Start time: 2025/07/28 14:32
Version: 0.3.0-dev (Dev Build)

Total detection rules: 0
Total correlation rules: 1
Total log files: 3980
Total file size: 251.1 MiB

Scanning now. Please wait.

[00:00:11] 3,980 / 3,980   [========================================] 100%

Scanning finished.

Rule Authors:
╭────────────────────────────────────────────╮
│ Zach Mathis (@yamatosecu... (3)   TEST (1) │
╰─────────────────────────────────╌──────────╯

Results Summary:
Events with hits / Total events: 19 / 1,972,588 (Data reduction: 1,972,569 events (100.00%))
Total | Unique critical detections: 0 (0%) | 0 (0%)
Total | Unique high detections: 9 (47%) | 2 (10%)
Total | Unique medium detections: 5 (26%) | 1 (5%)
Total | Unique low detections: 6 (31%) | 1 (5%)
Total | Unique informational detections: 0 (0%) | 0 (0%)

First event time: 2021-07-29 00:07:51 UTC
Last event time: 2021-07-30 10:37:34 UTC

Dates with most total detections:
critical: n/a, high: 2021-07-29 (8), medium: 2021-07-29 (3), low: 2021-07-29 (6), informational: n/a
╭──────────────────────────────────────────────────────────────────────╮
│ Top critical alerts:            Top high alerts:                     │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                             CloudTrail Log Settings Modified (8) │
│ n/a                             Correlation temporal Test (1)        │
│ n/a                             n/a                                  │
│ n/a                             n/a                                  │
│ n/a                             n/a                                  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top medium alerts:              Top low alerts:                      │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Console Login Without MFA (5)   Role Enumeration (6)                 │
│ n/a                             n/a                                  │
│ n/a                             n/a                                  │
│ n/a                             n/a                                  │
│ n/a                             n/a                                  │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top informational alerts:                                            │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                                                                  │
│ n/a                                                                  │
│ n/a                                                                  │
│ n/a                                                                  │
│ n/a                                                                  │
╰───────────────────────────────╌──────────────────────────────────────╯

Results saved: timeline.csv (7.8 KiB)
Elapsed time: 00:00:11

% cat timeline.csv
Timestamp,RuleTitle,RuleAuthor,Level,EventName,EventSource,AWS-Region,SrcIP,UserAgent,UserName,UserType,UserAccountID,UserARN,UserPrincipalID,UserAccessKeyID,EventID,RuleID
2021-07-29 12:57:40,Role Enumeration,Zach Mathis (@yamatosecurity),low,ListRoles,iam.amazonaws.com,us-east-1,96.253.26.224,console.ec2.amazonaws.com,-,Root,342082656213,arn:aws:iam::342082656213:root,342082656213,ASIAU7JNXC7KYETYTWZT,6c3021c3-5697-431c-a27e-2427f30d67f4,-
2021-07-29 12:53:34,Console Login Without MFA,Zach Mathis (@yamatosecurity),medium,ConsoleLogin,signin.amazonaws.com,us-east-1,96.253.26.224,"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36",-,Root,342082656213,arn:aws:iam::342082656213:root,342082656213,,96936d41-6e5e-4a11-9d2f-a71f5563d495,-
2021-07-29 12:54:17,Console Login Without MFA,Zach Mathis (@yamatosecurity),medium,ConsoleLogin,signin.amazonaws.com,us-east-1,96.253.26.224,"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36",-,Root,342082656213,arn:aws:iam::342082656213:root,342082656213,,1471f842-143d-4a6c-b5ce-4cdc1647d8c8,-
2021-07-29 23:53:38,CloudTrail Log Settings Modified,Zach Mathis (@yamatosecurity),high,UpdateTrail,cloudtrail.amazonaws.com,us-west-1,96.253.26.224,console.amazonaws.com,-,Root,342082656213,arn:aws:iam::342082656213:root,342082656213,ASIAU7JNXC7KWALOOGDA,4a705624-78a0-4bd2-836e-23b71835fb3c,-
2021-07-29 23:53:44,CloudTrail Log Settings Modified,Zach Mathis (@yamatosecurity),high,UpdateTrail,cloudtrail.amazonaws.com,us-west-1,96.253.26.224,console.amazonaws.com,-,Root,342082656213,arn:aws:iam::342082656213:root,342082656213,ASIAU7JNXC7KWALOOGDA,58948382-c029-4088-8616-0d1f0177a524,-
2021-07-29 23:53:40,CloudTrail Log Settings Modified,Zach Mathis (@yamatosecurity),high,UpdateTrail,cloudtrail.amazonaws.com,us-west-1,96.253.26.224,console.amazonaws.com,-,Root,342082656213,arn:aws:iam::342082656213:root,342082656213,ASIAU7JNXC7KWALOOGDA,c7dc5b3a-46b9-4f48-905a-4fbeca2a00c4,-
2021-07-29 23:53:53,CloudTrail Log Settings Modified,Zach Mathis (@yamatosecurity),high,UpdateTrail,cloudtrail.amazonaws.com,us-west-1,96.253.26.224,console.amazonaws.com,-,Root,342082656213,arn:aws:iam::342082656213:root,342082656213,ASIAU7JNXC7KWALOOGDA,bd22d695-1357-4ab6-b90b-f80a5ce4ac6c,-
2021-07-29 23:53:38,CloudTrail Log Settings Modified,Zach Mathis (@yamatosecurity),high,UpdateTrail,cloudtrail.amazonaws.com,us-west-1,96.253.26.224,console.amazonaws.com,-,Root,342082656213,arn:aws:iam::342082656213:root,342082656213,ASIAU7JNXC7KWALOOGDA,4a705624-78a0-4bd2-836e-23b71835fb3c,-
2021-07-29 23:53:44,CloudTrail Log Settings Modified,Zach Mathis (@yamatosecurity),high,UpdateTrail,cloudtrail.amazonaws.com,us-west-1,96.253.26.224,console.amazonaws.com,-,Root,342082656213,arn:aws:iam::342082656213:root,342082656213,ASIAU7JNXC7KWALOOGDA,58948382-c029-4088-8616-0d1f0177a524,-
2021-07-29 23:53:40,CloudTrail Log Settings Modified,Zach Mathis (@yamatosecurity),high,UpdateTrail,cloudtrail.amazonaws.com,us-west-1,96.253.26.224,console.amazonaws.com,-,Root,342082656213,arn:aws:iam::342082656213:root,342082656213,ASIAU7JNXC7KWALOOGDA,c7dc5b3a-46b9-4f48-905a-4fbeca2a00c4,-
2021-07-29 23:53:53,CloudTrail Log Settings Modified,Zach Mathis (@yamatosecurity),high,UpdateTrail,cloudtrail.amazonaws.com,us-west-1,96.253.26.224,console.amazonaws.com,-,Root,342082656213,arn:aws:iam::342082656213:root,342082656213,ASIAU7JNXC7KWALOOGDA,bd22d695-1357-4ab6-b90b-f80a5ce4ac6c,-
2021-07-29 00:07:51,Console Login Without MFA,Zach Mathis (@yamatosecurity),medium,ConsoleLogin,signin.amazonaws.com,us-east-1,96.253.26.224,"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36",-,Root,342082656213,arn:aws:iam::342082656213:root,342082656213,,640b0c32-6a3e-4358-9309-8ee6c5c32d2f,-
2021-07-29 13:06:41,Role Enumeration,Zach Mathis (@yamatosecurity),low,ListRoles,iam.amazonaws.com,us-east-1,3.238.12.183,Boto3/1.18.1 Python/3.9.5 Linux/4.14.238-182.422.amzn2.x86_64 Botocore/1.21.1,jmerckle,IAMUser,342082656213,arn:aws:iam::342082656213:user/jmerckle,AIDAU7JNXC7KTE2ELED2M,AKIAU7JNXC7K7XNL3F6J,ed8cbeb1-7fc4-47ed-bed0-9d0d1ee2ea06,-
2021-07-29 13:04:50,Role Enumeration,Zach Mathis (@yamatosecurity),low,ListRoles,iam.amazonaws.com,us-east-1,3.238.12.183,aws-cli/2.2.23 Python/3.8.8 Linux/4.14.238-182.422.amzn2.x86_64 exe/x86_64.amzn.2 prompt/off command/iam.list-roles,jmerckle,IAMUser,342082656213,arn:aws:iam::342082656213:user/jmerckle,AIDAU7JNXC7KTE2ELED2M,AKIAU7JNXC7K7XNL3F6J,8de28ce8-4202-4ebc-a15c-588970709ded,-
2021-07-29 13:03:42,Role Enumeration,Zach Mathis (@yamatosecurity),low,ListRoles,iam.amazonaws.com,us-east-1,3.238.12.183,aws-cli/2.2.23 Python/3.8.8 Linux/4.14.238-182.422.amzn2.x86_64 exe/x86_64.amzn.2 prompt/off command/iam.list-roles,jmerckle,IAMUser,342082656213,arn:aws:iam::342082656213:user/jmerckle,AIDAU7JNXC7KTE2ELED2M,AKIAU7JNXC7K7XNL3F6J,6c160954-0257-495b-b970-0de16fd34eb4,-
2021-07-29 13:04:40,Role Enumeration,Zach Mathis (@yamatosecurity),low,ListRoles,iam.amazonaws.com,us-east-1,3.238.12.183,aws-cli/2.2.23 Python/3.8.8 Linux/4.14.238-182.422.amzn2.x86_64 exe/x86_64.amzn.2 prompt/off command/iam.list-roles,jmerckle,IAMUser,342082656213,arn:aws:iam::342082656213:user/jmerckle,AIDAU7JNXC7KTE2ELED2M,AKIAU7JNXC7K7XNL3F6J,9f7fbc51-3107-41e7-8a97-6ce580ab5d7d,-
2021-07-29 13:07:39,Role Enumeration,Zach Mathis (@yamatosecurity),low,ListRoles,iam.amazonaws.com,us-east-1,3.238.12.183,aws-cli/2.2.23 Python/3.8.8 Linux/4.14.238-182.422.amzn2.x86_64 exe/x86_64.amzn.2 prompt/off command/iam.list-roles,jmerckle,IAMUser,342082656213,arn:aws:iam::342082656213:user/jmerckle,AIDAU7JNXC7KTE2ELED2M,AKIAU7JNXC7K7XNL3F6J,1d01fdd5-67a1-4367-8391-9ee5c5ba53b9,-
2021-07-30 10:37:34,Console Login Without MFA,Zach Mathis (@yamatosecurity),medium,ConsoleLogin,signin.amazonaws.com,us-east-1,96.253.26.224,"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36",-,Root,342082656213,arn:aws:iam::342082656213:root,342082656213,,63d86d13-4ce4-4fa7-aef9-00b64cd67d3f,-
2021-07-30 10:37:34,Console Login Without MFA,Zach Mathis (@yamatosecurity),medium,ConsoleLogin,signin.amazonaws.com,us-east-1,96.253.26.224,"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36",-,Root,342082656213,arn:aws:iam::342082656213:root,342082656213,,63d86d13-4ce4-4fa7-aef9-00b64cd67d3f,-
2021-07-30 10:37:34,Correlation temporal Test,TEST,high,ConsoleLogin ¦ ListRoles ¦ UpdateTrail,cloudtrail.amazonaws.com ¦ iam.amazonaws.com ¦ signin.amazonaws.com,us-east-1 ¦ us-west-1,3.238.12.183 ¦ 96.253.26.224,"Boto3/1.18.1 Python/3.9.5 Linux/4.14.238-182.422.amzn2.x86_64 Botocore/1.21.1 ¦ Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36 ¦ aws-cli/2.2.23 Python/3.8.8 Linux/4.14.238-182.422.amzn2.x86_64 exe/x86_64.amzn.2 prompt/off command/iam.list-roles ¦ console.amazonaws.com ¦ console.ec2.amazonaws.com",- ¦ jmerckle,IAMUser ¦ Root,342082656213,arn:aws:iam::342082656213:root ¦ arn:aws:iam::342082656213:user/jmerckle,342082656213 ¦ AIDAU7JNXC7KTE2ELED2M, ¦ AKIAU7JNXC7K7XNL3F6J ¦ ASIAU7JNXC7KWALOOGDA ¦ ASIAU7JNXC7KYETYTWZT,1471f842-143d-4a6c-b5ce-4cdc1647d8c8 ¦ 1d01fdd5-67a1-4367-8391-9ee5c5ba53b9 ¦ 4a705624-78a0-4bd2-836e-23b71835fb3c ¦ 58948382-c029-4088-8616-0d1f0177a524 ¦ 63d86d13-4ce4-4fa7-aef9-00b64cd67d3f ¦ 640b0c32-6a3e-4358-9309-8ee6c5c32d2f ¦ 6c160954-0257-495b-b970-0de16fd34eb4 ¦ 6c3021c3-5697-431c-a27e-2427f30d67f4 ¦ 8de28ce8-4202-4ebc-a15c-588970709ded ¦ 96936d41-6e5e-4a11-9d2f-a71f5563d495 ¦ 9f7fbc51-3107-41e7-8a97-6ce580ab5d7d ¦ bd22d695-1357-4ab6-b90b-f80a5ce4ac6c ¦ c7dc5b3a-46b9-4f48-905a-4fbeca2a00c4 ¦ ed8cbeb1-7fc4-47ed-bed0-9d0d1ee2ea06,49d15187-4203-4e11-8acd-8736f25b66xx

fukusuket · 2025-07-28T05:39:22Z

temporal_ordered

title: Correlation temporal_ordered Test
id: 49d15187-4203-4e11-8acd-8736f25b66xx
status: test
author: TEST
correlation:
    type: temporal_ordered
    rules:
        - Console Login Without MFA
        - Role Enumeration
        - CloudTrail Log Settings Modified
    timespan: 1d
    generate: true
level: high
---
title: CloudTrail Log Settings Modified
author: Zach Mathis (@yamatosecurity)
date: 2025-04-23
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'cloudtrail.amazonaws.com'
        eventName: 'UpdateTrail'
    filter:
        errorCode: 'AccessDenied'
    condition: selection and not filter
level: high
---
title: Console Login Without MFA
author: Zach Mathis (@yamatosecurity)
date: 2025-04-13
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: signin.amazonaws.com
        eventName: 'ConsoleLogin'
        additionalEventData.MFAUsed: 'No'
    condition: selection
level: medium
---
title: Role Enumeration 
author: Zach Mathis (@yamatosecurity)
date: 2025-04-24
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'iam.amazonaws.com'
        eventName: 'ListRoles'
    condition: selection
falsepositives:
level: low

./suzaku aws-ct-timeline -d ../data/suzaku-sample-data-main -q -o timeline.csv -C -r test2.yml -T
Start time: 2025/07/28 14:37
Version: 0.3.0-dev (Dev Build)

Total detection rules: 0
Total correlation rules: 1
Total log files: 3980
Total file size: 251.1 MiB

Scanning now. Please wait.

[00:00:11] 3,980 / 3,980   [========================================] 100%

Scanning finished.

Rule Authors:
╭────────────────────────────────────────────╮
│ Zach Mathis (@yamatosecu... (3)   TEST (1) │
╰─────────────────────────────────╌──────────╯

Results Summary:
Events with hits / Total events: 17 / 1,972,588 (Data reduction: 1,972,571 events (100.00%))
Total | Unique critical detections: 0 (0%) | 0 (0%)
Total | Unique high detections: 9 (52%) | 2 (11%)
Total | Unique medium detections: 3 (17%) | 1 (5%)
Total | Unique low detections: 6 (35%) | 1 (5%)
Total | Unique informational detections: 0 (0%) | 0 (0%)

First event time: 2021-07-29 00:07:51 UTC
Last event time: 2021-07-29 23:53:53 UTC

Dates with most total detections:
critical: n/a, high: 2021-07-29 (9), medium: 2021-07-29 (3), low: 2021-07-29 (6), informational: n/a
╭───────────────────────────────────────────────────────────────────────╮
│ Top critical alerts:            Top high alerts:                      │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                             CloudTrail Log Settings Modified (8)  │
│ n/a                             Correlation temporal_ordered Test (1) │
│ n/a                             n/a                                   │
│ n/a                             n/a                                   │
│ n/a                             n/a                                   │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top medium alerts:              Top low alerts:                       │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Console Login Without MFA (3)   Role Enumeration (6)                  │
│ n/a                             n/a                                   │
│ n/a                             n/a                                   │
│ n/a                             n/a                                   │
│ n/a                             n/a                                   │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Top informational alerts:                                             │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ n/a                                                                   │
│ n/a                                                                   │
│ n/a                                                                   │
│ n/a                                                                   │
│ n/a                                                                   │
╰───────────────────────────────╌───────────────────────────────────────╯

Results saved: timeline.csv (7.0 KiB)
Elapsed time: 00:00:11

cat timeline.csv
Timestamp,RuleTitle,RuleAuthor,Level,EventName,EventSource,AWS-Region,SrcIP,UserAgent,UserName,UserType,UserAccountID,UserARN,UserPrincipalID,UserAccessKeyID,EventID,RuleID
2021-07-29 00:07:51,Console Login Without MFA,Zach Mathis (@yamatosecurity),medium,ConsoleLogin,signin.amazonaws.com,us-east-1,96.253.26.224,"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36",-,Root,342082656213,arn:aws:iam::342082656213:root,342082656213,,640b0c32-6a3e-4358-9309-8ee6c5c32d2f,-
2021-07-29 12:53:34,Console Login Without MFA,Zach Mathis (@yamatosecurity),medium,ConsoleLogin,signin.amazonaws.com,us-east-1,96.253.26.224,"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36",-,Root,342082656213,arn:aws:iam::342082656213:root,342082656213,,96936d41-6e5e-4a11-9d2f-a71f5563d495,-
2021-07-29 12:54:17,Console Login Without MFA,Zach Mathis (@yamatosecurity),medium,ConsoleLogin,signin.amazonaws.com,us-east-1,96.253.26.224,"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36",-,Root,342082656213,arn:aws:iam::342082656213:root,342082656213,,1471f842-143d-4a6c-b5ce-4cdc1647d8c8,-
2021-07-29 12:57:40,Role Enumeration,Zach Mathis (@yamatosecurity),low,ListRoles,iam.amazonaws.com,us-east-1,96.253.26.224,console.ec2.amazonaws.com,-,Root,342082656213,arn:aws:iam::342082656213:root,342082656213,ASIAU7JNXC7KYETYTWZT,6c3021c3-5697-431c-a27e-2427f30d67f4,-
2021-07-29 13:03:42,Role Enumeration,Zach Mathis (@yamatosecurity),low,ListRoles,iam.amazonaws.com,us-east-1,3.238.12.183,aws-cli/2.2.23 Python/3.8.8 Linux/4.14.238-182.422.amzn2.x86_64 exe/x86_64.amzn.2 prompt/off command/iam.list-roles,jmerckle,IAMUser,342082656213,arn:aws:iam::342082656213:user/jmerckle,AIDAU7JNXC7KTE2ELED2M,AKIAU7JNXC7K7XNL3F6J,6c160954-0257-495b-b970-0de16fd34eb4,-
2021-07-29 13:04:40,Role Enumeration,Zach Mathis (@yamatosecurity),low,ListRoles,iam.amazonaws.com,us-east-1,3.238.12.183,aws-cli/2.2.23 Python/3.8.8 Linux/4.14.238-182.422.amzn2.x86_64 exe/x86_64.amzn.2 prompt/off command/iam.list-roles,jmerckle,IAMUser,342082656213,arn:aws:iam::342082656213:user/jmerckle,AIDAU7JNXC7KTE2ELED2M,AKIAU7JNXC7K7XNL3F6J,9f7fbc51-3107-41e7-8a97-6ce580ab5d7d,-
2021-07-29 13:04:50,Role Enumeration,Zach Mathis (@yamatosecurity),low,ListRoles,iam.amazonaws.com,us-east-1,3.238.12.183,aws-cli/2.2.23 Python/3.8.8 Linux/4.14.238-182.422.amzn2.x86_64 exe/x86_64.amzn.2 prompt/off command/iam.list-roles,jmerckle,IAMUser,342082656213,arn:aws:iam::342082656213:user/jmerckle,AIDAU7JNXC7KTE2ELED2M,AKIAU7JNXC7K7XNL3F6J,8de28ce8-4202-4ebc-a15c-588970709ded,-
2021-07-29 13:06:41,Role Enumeration,Zach Mathis (@yamatosecurity),low,ListRoles,iam.amazonaws.com,us-east-1,3.238.12.183,Boto3/1.18.1 Python/3.9.5 Linux/4.14.238-182.422.amzn2.x86_64 Botocore/1.21.1,jmerckle,IAMUser,342082656213,arn:aws:iam::342082656213:user/jmerckle,AIDAU7JNXC7KTE2ELED2M,AKIAU7JNXC7K7XNL3F6J,ed8cbeb1-7fc4-47ed-bed0-9d0d1ee2ea06,-
2021-07-29 13:07:39,Role Enumeration,Zach Mathis (@yamatosecurity),low,ListRoles,iam.amazonaws.com,us-east-1,3.238.12.183,aws-cli/2.2.23 Python/3.8.8 Linux/4.14.238-182.422.amzn2.x86_64 exe/x86_64.amzn.2 prompt/off command/iam.list-roles,jmerckle,IAMUser,342082656213,arn:aws:iam::342082656213:user/jmerckle,AIDAU7JNXC7KTE2ELED2M,AKIAU7JNXC7K7XNL3F6J,1d01fdd5-67a1-4367-8391-9ee5c5ba53b9,-
2021-07-29 23:53:38,CloudTrail Log Settings Modified,Zach Mathis (@yamatosecurity),high,UpdateTrail,cloudtrail.amazonaws.com,us-west-1,96.253.26.224,console.amazonaws.com,-,Root,342082656213,arn:aws:iam::342082656213:root,342082656213,ASIAU7JNXC7KWALOOGDA,4a705624-78a0-4bd2-836e-23b71835fb3c,-
2021-07-29 23:53:38,CloudTrail Log Settings Modified,Zach Mathis (@yamatosecurity),high,UpdateTrail,cloudtrail.amazonaws.com,us-west-1,96.253.26.224,console.amazonaws.com,-,Root,342082656213,arn:aws:iam::342082656213:root,342082656213,ASIAU7JNXC7KWALOOGDA,4a705624-78a0-4bd2-836e-23b71835fb3c,-
2021-07-29 23:53:40,CloudTrail Log Settings Modified,Zach Mathis (@yamatosecurity),high,UpdateTrail,cloudtrail.amazonaws.com,us-west-1,96.253.26.224,console.amazonaws.com,-,Root,342082656213,arn:aws:iam::342082656213:root,342082656213,ASIAU7JNXC7KWALOOGDA,c7dc5b3a-46b9-4f48-905a-4fbeca2a00c4,-
2021-07-29 23:53:40,CloudTrail Log Settings Modified,Zach Mathis (@yamatosecurity),high,UpdateTrail,cloudtrail.amazonaws.com,us-west-1,96.253.26.224,console.amazonaws.com,-,Root,342082656213,arn:aws:iam::342082656213:root,342082656213,ASIAU7JNXC7KWALOOGDA,c7dc5b3a-46b9-4f48-905a-4fbeca2a00c4,-
2021-07-29 23:53:44,CloudTrail Log Settings Modified,Zach Mathis (@yamatosecurity),high,UpdateTrail,cloudtrail.amazonaws.com,us-west-1,96.253.26.224,console.amazonaws.com,-,Root,342082656213,arn:aws:iam::342082656213:root,342082656213,ASIAU7JNXC7KWALOOGDA,58948382-c029-4088-8616-0d1f0177a524,-
2021-07-29 23:53:44,CloudTrail Log Settings Modified,Zach Mathis (@yamatosecurity),high,UpdateTrail,cloudtrail.amazonaws.com,us-west-1,96.253.26.224,console.amazonaws.com,-,Root,342082656213,arn:aws:iam::342082656213:root,342082656213,ASIAU7JNXC7KWALOOGDA,58948382-c029-4088-8616-0d1f0177a524,-
2021-07-29 23:53:53,CloudTrail Log Settings Modified,Zach Mathis (@yamatosecurity),high,UpdateTrail,cloudtrail.amazonaws.com,us-west-1,96.253.26.224,console.amazonaws.com,-,Root,342082656213,arn:aws:iam::342082656213:root,342082656213,ASIAU7JNXC7KWALOOGDA,bd22d695-1357-4ab6-b90b-f80a5ce4ac6c,-
2021-07-29 23:53:53,CloudTrail Log Settings Modified,Zach Mathis (@yamatosecurity),high,UpdateTrail,cloudtrail.amazonaws.com,us-west-1,96.253.26.224,console.amazonaws.com,-,Root,342082656213,arn:aws:iam::342082656213:root,342082656213,ASIAU7JNXC7KWALOOGDA,bd22d695-1357-4ab6-b90b-f80a5ce4ac6c,-
2021-07-29 23:53:53,Correlation temporal_ordered Test,TEST,high,ConsoleLogin ¦ ListRoles ¦ UpdateTrail,cloudtrail.amazonaws.com ¦ iam.amazonaws.com ¦ signin.amazonaws.com,us-east-1 ¦ us-west-1,3.238.12.183 ¦ 96.253.26.224,"Boto3/1.18.1 Python/3.9.5 Linux/4.14.238-182.422.amzn2.x86_64 Botocore/1.21.1 ¦ Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36 ¦ aws-cli/2.2.23 Python/3.8.8 Linux/4.14.238-182.422.amzn2.x86_64 exe/x86_64.amzn.2 prompt/off command/iam.list-roles ¦ console.amazonaws.com ¦ console.ec2.amazonaws.com",- ¦ jmerckle,IAMUser ¦ Root,342082656213,arn:aws:iam::342082656213:root ¦ arn:aws:iam::342082656213:user/jmerckle,342082656213 ¦ AIDAU7JNXC7KTE2ELED2M, ¦ AKIAU7JNXC7K7XNL3F6J ¦ ASIAU7JNXC7KWALOOGDA ¦ ASIAU7JNXC7KYETYTWZT,1471f842-143d-4a6c-b5ce-4cdc1647d8c8 ¦ 1d01fdd5-67a1-4367-8391-9ee5c5ba53b9 ¦ 4a705624-78a0-4bd2-836e-23b71835fb3c ¦ 58948382-c029-4088-8616-0d1f0177a524 ¦ 640b0c32-6a3e-4358-9309-8ee6c5c32d2f ¦ 6c160954-0257-495b-b970-0de16fd34eb4 ¦ 6c3021c3-5697-431c-a27e-2427f30d67f4 ¦ 8de28ce8-4202-4ebc-a15c-588970709ded ¦ 96936d41-6e5e-4a11-9d2f-a71f5563d495 ¦ 9f7fbc51-3107-41e7-8a97-6ce580ab5d7d ¦ bd22d695-1357-4ab6-b90b-f80a5ce4ac6c ¦ c7dc5b3a-46b9-4f48-905a-4fbeca2a00c4 ¦ ed8cbeb1-7fc4-47ed-bed0-9d0d1ee2ea06,49d15187-4203-4e11-8acd-8736f25b66xx

YamatoSecurity

@fukusuket LGTM! Thanks so much!!

fukusuket added 3 commits July 26, 2025 22:10

feat: add support for correlation rule

521c249

refactor: Separate the writer logic

4c4b3e9

feat: add correlation record output logic

383d257

fukusuket added this to the v0.3.0 milestone Jul 26, 2025

fukusuket self-assigned this Jul 26, 2025

fukusuket added the enhancement New feature or request label Jul 26, 2025

fukusuket requested a review from Copilot July 26, 2025 15:53

Copilot AI reviewed Jul 26, 2025

View reviewed changes

src/core/rules.rs Show resolved Hide resolved

src/cmd/aws_detect_writer.rs Outdated Show resolved Hide resolved

src/cmd/aws_detect_writer.rs Show resolved Hide resolved

src/core/scan.rs Show resolved Hide resolved

src/core/scan.rs Outdated Show resolved Hide resolved

fix: copilot review comment

754d6d3

fukusuket marked this pull request as ready for review July 26, 2025 16:13

fukusuket requested review from hach1yon and YamatoSecurity July 26, 2025 16:16

fukusuket added 3 commits July 27, 2025 01:25

fix: remove unneeded clippy allow

b9a97bf

fix: remove unneeded clippy allow

6c519ad

fix: remove unneeded ref

c0706b4

chg: update sigma-rust commit rev

e881d81

YamatoSecurity added 4 commits July 29, 2025 00:23

add badge

a5d2ddc

update changelog

96fb66b

bump

f6e0bae

add types

070cb65

YamatoSecurity approved these changes Jul 30, 2025

View reviewed changes

YamatoSecurity merged commit ae70eac into main Jul 30, 2025
4 checks passed

fukusuket deleted the 95-correlation-feature branch July 30, 2025 14:17

This was referenced Jul 30, 2025

feat: add Sigma v2 Correlation feature jopohl/sigma-rust#31

Open

Implementation Tasks for Sigma Correlation Rules Yamato-Security/sigma-rust#1

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat: add support correlation feature #97

feat: add support correlation feature #97

Uh oh!

fukusuket commented Jul 26, 2025 •

edited

Loading

Uh oh!

Copilot AI left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

fukusuket commented Jul 26, 2025

Uh oh!

fukusuket commented Jul 26, 2025

Uh oh!

fukusuket commented Jul 28, 2025

Uh oh!

fukusuket commented Jul 28, 2025

Uh oh!

fukusuket commented Jul 28, 2025

Uh oh!

YamatoSecurity left a comment

Uh oh!

Uh oh!

Uh oh!

feat: add support correlation feature #97

feat: add support correlation feature #97

Uh oh!

Conversation

fukusuket commented Jul 26, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What Changed

Limitation

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull Request Overview

Reviewed Changes

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

fukusuket commented Jul 26, 2025

event_count

Uh oh!

fukusuket commented Jul 26, 2025

Uh oh!

fukusuket commented Jul 28, 2025

value_count

Uh oh!

fukusuket commented Jul 28, 2025

temporal

Uh oh!

fukusuket commented Jul 28, 2025

temporal_ordered

Uh oh!

YamatoSecurity left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

fukusuket commented Jul 26, 2025 •

edited

Loading