rules-unsupported/aws_lambda_function_created_or_invoked.yml

title: AWS Lambda Function Created or Invoked
id: d914951b-52c8-485f-875e-86abab710c0b
status: unsupported
description: Detects when an user creates or invokes a lambda function.
references:
    - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
author: Austin Songer @austinsonger
date: 2021/10/03
modified: 2023/03/24
tags:
    - attack.privilege_escalation
    - attack.t1078
logsource:
    product: aws
    service: cloudtrail
detection:
    selection1:
        eventSource: lambda.amazonaws.com
        eventName: CreateFunction
    selection2:
        eventSource: lambda.amazonaws.com
        eventName: Invoke
    condition: selection1 | near selection2
falsepositives:
    - Lambda Function created or invoked may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - If known behavior is causing false positives, it can be exempted from the rule.
level: low
Update and rename aws_pass_role_to_lambda_function.yml to aws_lambda_function_created_or_invoked.yml 2021-10-13 12:27:24 -05:00			`title: AWS Lambda Function Created or Invoked`
$frack113$ Update aws_pass_role_to_lambda_function.yml 2021-10-05 07:40:42 +02:00			`id: d914951b-52c8-485f-875e-86abab710c0b`
feat: new rules, updates and fp fixes (#4136 ) 2023-04-03 12:06:14 +02:00			`status: unsupported`
Update and rename aws_pass_role_to_lambda_function.yml to aws_lambda_function_created_or_invoked.yml 2021-10-13 12:27:24 -05:00			`description: Detects when an user creates or invokes a lambda function.`
$frack113$ Order yaml field 2022-10-25 07:34:10 +02:00			`references:`
			`- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/`
Create pass_role_to_lambda_function.yml 2021-10-03 22:54:01 -05:00			`author: Austin Songer @austinsonger`
			`date: 2021/10/03`
feat: new rules, updates and fp fixes (#4136 ) 2023-04-03 12:06:14 +02:00			`modified: 2023/03/24`
$frack113$ Order yaml field 2022-10-25 07:34:10 +02:00			`tags:`
			`- attack.privilege_escalation`
			`- attack.t1078`
Create pass_role_to_lambda_function.yml 2021-10-03 22:54:01 -05:00			`logsource:`
$frack113$ Add product aws 2021-11-14 09:56:59 +01:00			`product: aws`
Create pass_role_to_lambda_function.yml 2021-10-03 22:54:01 -05:00			`service: cloudtrail`
			`detection:`
			`selection1:`
			`eventSource: lambda.amazonaws.com`
			`eventName: CreateFunction`
Update aws_pass_role_to_lambda_function.yml 2021-10-13 06:59:13 -05:00			`selection2:`
Create pass_role_to_lambda_function.yml 2021-10-03 22:54:01 -05:00			`eventSource: lambda.amazonaws.com`
Update and rename aws_pass_role_to_lambda_function.yml to aws_lambda_function_created_or_invoked.yml 2021-10-13 12:27:24 -05:00			`eventName: Invoke`
Update aws_lambda_function_created_or_invoked.yml 2021-10-14 12:10:29 -05:00			`condition: selection1 \| near selection2`
Create pass_role_to_lambda_function.yml 2021-10-03 22:54:01 -05:00			`falsepositives:`
$frack113$ Order yaml field 2022-10-25 07:34:10 +02:00			`- Lambda Function created or invoked may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.`
$frack113$ Fix optional section name 2021-11-27 11:27:40 +01:00			`- If known behavior is causing false positives, it can be exempted from the rule.`
$frack113$ Order yaml field 2022-10-25 07:34:10 +02:00			`level: low`