From e08f6333b810eff9a50a5a2ff8e49be0ed8591bb Mon Sep 17 00:00:00 2001
From: Austin Songer <a.songer@protonmail.com>
Date: Wed, 13 Oct 2021 06:59:13 -0500
Subject: [PATCH] Update aws_pass_role_to_lambda_function.yml

---
 rules/cloud/aws/aws_pass_role_to_lambda_function.yml | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/rules/cloud/aws/aws_pass_role_to_lambda_function.yml b/rules/cloud/aws/aws_pass_role_to_lambda_function.yml
index 3c38c959e..f80470509 100644
--- a/rules/cloud/aws/aws_pass_role_to_lambda_function.yml
+++ b/rules/cloud/aws/aws_pass_role_to_lambda_function.yml
@@ -10,15 +10,12 @@ logsource:
     service: cloudtrail
 detection:
     selection1:
-        eventSource: iam.amazonaws.com
-        eventName: PassRole
-    selection2:
         eventSource: lambda.amazonaws.com
         eventName: CreateFunction
-    selection3:
+    selection2:
         eventSource: lambda.amazonaws.com
         eventName: InvokeFunction
-    condition: selection1 and selection2 and selection3
+    condition: selection1 and selection2
 level: low
 tags:
     - attack.privilege_escalation