def title(event):
if deep_get(event, "userIdentity", "type") == "Root":
user_string = "the root user"
else:
user_string = f"user {deep_get(event, 'userIdentity', 'userName')}"
account_id = event.get("recipientAccountId")
account_name = lookup_aws_account_name(account_id)
if account_id == account_name:
account_string = f"unnamed account ({account_id})"
else:
account_string = f"{account_name} account ({account_id})"
return f"AWS login detected without MFA for [{user_string}] in [{account_string}]"
def title(event):
return 'AWS root activity detected from [{ip}] in account [{account}]'.format(
ip=event.get('sourceIPAddress'),
account=lookup_aws_account_name(event.get('recipientAccountId')))
def dedup(event):
return (event.get("sourceIPAddress", "<UNKNOWN_IP>") + ":" +
lookup_aws_account_name(event.get("recipientAccountId")) + ":" +
str(event.get("readOnly")))
def title(event):
return 'AWS root login failed from [{ip}] in account [{account}]'.format(
ip=event['sourceIPAddress'],
account=lookup_aws_account_name(event.get('recipientAccountId')))
def title(event):
return 'AWS logins without SAML in account [{}]'.format(
lookup_aws_account_name(event.get('recipientAccountId')))
def title(event):
return 'CloudTrail [{}] in account [{}] was stopped/deleted'.format(
dedup(event), lookup_aws_account_name(event.get('recipientAccountId')))
def title(event):
return "AWS CodeBuild Project made Public by {} in account {}".format(
deep_get(event, "userIdentity", "arn"),
lookup_aws_account_name(deep_get(event, "recipientAccountId")),
)