Fix up queries that were incorrectly negating traversals, and aliasin…

…g the results
JupiterOne · Apr 10, 2024 · fafafba · fafafba
1 parent c83b531
commit fafafba
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/rule-packs/aws-config.json b/rule-packs/aws-config.json
@@ -661,7 +661,7 @@
     "queries": [
       {
         "name": "query0",
-        "query": "FIND aws_iam_group AS group THAT !HAS aws_iam_user AS user RETURN user.accountId, user.name,user.displayName, group.name,group.displayName, group.id",
+        "query": "FIND aws_iam_user AS user THAT !HAS aws_iam_group RETURN user.displayName, user.name, user.accountId AS \"AWS Account ID\", user.arn",
         "version": "v1"
       }
     ],
@@ -841,7 +841,7 @@
     "queries": [
       {
         "name": "query0",
-        "query": "FIND aws_security_group AS fw THAT !ALLOWS AS rule (Host|Network) WITH internal != true AS src WHERE (rule.ingress = true AND rule.ipProtocol = 'tcp' AND rule.fromPort <= 20 AND rule.toPort >= 20) OR (rule.ingress = true AND rule.ipProtocol = 'tcp' AND rule.fromPort <= 21 AND rule.toPort >= 21) OR (rule.ingress = true AND rule.ipProtocol = 'tcp' AND rule.fromPort <= 3306 AND rule.toPort >= 3306) OR (rule.ingress = true AND rule.ipProtocol = 'tcp' AND rule.fromPort <= 3389 AND rule.toPort >= 3389) OR (rule.ingress = true AND rule.ipProtocol = 'tcp' AND rule.fromPort <= 4333 AND rule.toPort >= 4333) RETURN fw.displayName, rule.ipProtocol, rule.fromPort, rule.toPort, src.displayName, src.ipAddress, src.CIDR",
+        "query": "FIND aws_security_group AS fw THAT ALLOWS AS rule (Host|Network) WITH internal != true AS src WHERE (rule.ingress = true AND rule.ipProtocol = 'tcp' AND rule.fromPort <= 20 AND rule.toPort >= 20) OR (rule.ingress = true AND rule.ipProtocol = 'tcp' AND rule.fromPort <= 21 AND rule.toPort >= 21) OR (rule.ingress = true AND rule.ipProtocol = 'tcp' AND rule.fromPort <= 3306 AND rule.toPort >= 3306) OR (rule.ingress = true AND rule.ipProtocol = 'tcp' AND rule.fromPort <= 3389 AND rule.toPort >= 3389) OR (rule.ingress = true AND rule.ipProtocol = 'tcp' AND rule.fromPort <= 4333 AND rule.toPort >= 4333) RETURN fw.displayName, rule.ipProtocol, rule.fromPort, rule.toPort, src.displayName, src.ipAddress, src.CIDR, fw.accountId AS \"AWS Account ID\"",
         "version": "v1"
       }
     ],