def title(event): if deep_get(event, "userIdentity", "type") == "Root": user_string = "the root user" else: user_string = f"user {deep_get(event, 'userIdentity', 'userName')}" account_id = event.get("recipientAccountId") account_name = lookup_aws_account_name(account_id) if account_id == account_name: account_string = f"unnamed account ({account_id})" else: account_string = f"{account_name} account ({account_id})" return f"AWS login detected without MFA for [{user_string}] in [{account_string}]"
def title(event): return 'AWS root activity detected from [{ip}] in account [{account}]'.format( ip=event.get('sourceIPAddress'), account=lookup_aws_account_name(event.get('recipientAccountId')))
def dedup(event): return (event.get("sourceIPAddress", "<UNKNOWN_IP>") + ":" + lookup_aws_account_name(event.get("recipientAccountId")) + ":" + str(event.get("readOnly")))
def title(event): return 'AWS root login failed from [{ip}] in account [{account}]'.format( ip=event['sourceIPAddress'], account=lookup_aws_account_name(event.get('recipientAccountId')))
def title(event): return 'AWS logins without SAML in account [{}]'.format( lookup_aws_account_name(event.get('recipientAccountId')))
def title(event): return 'CloudTrail [{}] in account [{}] was stopped/deleted'.format( dedup(event), lookup_aws_account_name(event.get('recipientAccountId')))
def title(event): return "AWS CodeBuild Project made Public by {} in account {}".format( deep_get(event, "userIdentity", "arn"), lookup_aws_account_name(deep_get(event, "recipientAccountId")), )