more correlation rules from AWS re:inforce (#1289)

* more correlation rules from AWS re:inforce

* unit tests

correlation_rules/aws_console_sign-in_without_okta.yml

@@ -0,0 +1,51 @@
+AnalysisType: correlation_rule
+RuleID: "AWS.Console.Sign-In.NOT.PRECEDED.BY.Okta"
+DisplayName: "AWS Console Sign-In NOT PRECEDED BY Okta Redirect"
+Enabled: false
+Tags:
+    - AWS
+    - Configuration Required
+    - Okta
+    - Actor Profiles
+Severity: High
+Description: A user has logged into the AWS console without authenticating via Okta.  This rule requires AWS SSO via Okta, both log sources configured, and Actor Profiles enabled.
+Detection:
+    - Sequence:
+        - ID: Okta SSO to AWS
+          RuleID: Okta.SSO.to.AWS
+          Absence: true
+        - ID: AWS Console Sign-In
+          RuleID: AWS.Console.Sign-In
+      Transitions:
+        - ID: Okta SSO to AWS TO AWS Console Sign-In ON username
+          From: Okta SSO to AWS
+          To: AWS Console Sign-In
+          Match:
+            - On: p_udm.user.id
+          WithinTimeFrameMinutes: 15
+      Schedule:
+        RateMinutes: 1440
+        TimeoutMinutes: 5
+      LookbackWindowMinutes: 1440
+Tests:
+  - Name: AWS Console Sign-In PRECEDED BY Okta Redirect
+    ExpectedResult: false
+    RuleOutputs:
+    - ID: Okta SSO to AWS
+      Matches:
+        p_udm.user.id:
+          igor.stravinsky:
+            - 0
+    - ID: AWS Console Sign-In
+      Matches:
+        p_udm.user.id:
+          igor.stravinsky:
+            - 2
+  - Name: AWS Console Sign-In NOT PRECEDED BY Okta Redirect
+    ExpectedResult: true
+    RuleOutputs:
+    - ID: AWS Console Sign-In
+      Matches:
+        p_udm.user.id:
+          igor.stravinsky:
+            - 2

correlation_rules/aws_sso_access_token_retrieved_by_unauthenticated_ip.yml

@@ -0,0 +1,50 @@
+AnalysisType: correlation_rule
+RuleID: "AWS.SSO.Access.Token.Retrieved.by.Unauthenticated.IP"
+DisplayName: "AWS SSO Access Token Retrieved by Unauthenticated IP"
+Enabled: true
+Severity: Medium
+Description: |-
+    When using AWS in an enterprise environment, best practices dictate to use a single sign-on service for identity and access management. AWS SSO is a popular solution, integrating with third-party providers such as Okta and allowing to centrally manage roles and permissions in multiple AWS accounts.
+
+    In this post, we demonstrate that AWS SSO is vulnerable by design to device code authentication phishing – just like any identity provider implementing OpenID Connect device code authentication. This technique was first demonstrated by Dr. Nestori Syynimaa for Azure AD. The feature provides a powerful phishing vector for attackers, rendering ineffective controls such as MFA (including Yubikeys) or IP allow-listing at the IdP level.
+Reference: https://blog.christophetd.fr/phishing-for-aws-credentials-via-aws-sso-device-code-authentication/
+Detection:
+    - Sequence:
+        - ID: Absent CLI Prompt
+          RuleID: Sign-in.with.AWS.CLI.prompt
+          Absence: true
+        - ID: SSO Access Token Retrieved
+          RuleID: Retrieve.SSO.access.token
+      Transitions:
+        - ID: Absent CLI Prompt TO Access Token Retrieved ON IP Addr
+          From: Absent CLI Prompt
+          To: SSO Access Token Retrieved
+          WithinTimeFrameMinutes: 120
+          Match:
+            - On: sourceIPAddress
+      Schedule:
+        RateMinutes: 1440
+        TimeoutMinutes: 5
+      LookbackWindowMinutes: 1440
+Tests:
+  - Name: AWS SSO Access Token Retrieved by Authenticated IP
+    ExpectedResult: false
+    RuleOutputs:
+    - ID: Absent CLI Prompt
+      Matches:
+        p_udm.user.id:
+          igor.stravinsky:
+            - 0
+    - ID: SSO Access Token Retrieved
+      Matches:
+        p_udm.user.id:
+          igor.stravinsky:
+            - 2
+  - Name: AWS SSO Access Token Retrieved by Unauthenticated IP
+    ExpectedResult: true
+    RuleOutputs:
+    - ID: SSO Access Token Retrieved
+      Matches:
+        p_udm.user.id:
+          igor.stravinsky:
+            - 2