AWSCloudTrail
| where EventName == "PutObjectAcl" and isempty(ErrorCode) and isempty(ErrorMessage)
| extend Grant = parse_json(tostring((parse_json(RequestParameters).AccessControlPolicy))).AccessControlList.Grant
| mvexpand Grant
| extend cannedacl = parse_json(tostring((parse_json(RequestParameters))))
| extend URI = parse_json(Grant).Grantee.URI, type = parse_json(Grant).Grantee.["xsi:type"], xamzacl = parse_json(cannedacl).["x-amz-acl"]
| where (type == "Group" and (URI endswith "AllUsers" or URI endswith "AuthenticatedUsers"))
or xamzacl in ("authenticated-read","public-read","public-read-write")
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
| extend timestamp = TimeGenerated
query: |
AWSCloudTrail
| where EventName == "PutObjectAcl" and isempty(ErrorCode) and isempty(ErrorMessage)
| extend Grant = parse_json(tostring((parse_json(RequestParameters).AccessControlPolicy))).AccessControlList.Grant
| mvexpand Grant
| extend cannedacl = parse_json(tostring((parse_json(RequestParameters))))
| extend URI = parse_json(Grant).Grantee.URI, type = parse_json(Grant).Grantee.["xsi:type"], xamzacl = parse_json(cannedacl).["x-amz-acl"]
| where (type == "Group" and (URI endswith "AllUsers" or URI endswith "AuthenticatedUsers"))
or xamzacl in ("authenticated-read","public-read","public-read-write")
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
| extend timestamp = TimeGenerated
relevantTechniques:
- T1537
severity: Medium
tactics:
- Exfiltration
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- identifier: CloudAppAccountId
columnName: RecipientAccountId
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIpAddress
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_S3ObjectPubliclyExposed.yaml
id: 09f2a28b-3286-4268-9e2f-33805f104e5d
version: 1.0.1
description: |
'Detected S3 bucket that's publicly exposed, which could lead to sensitive information leakage to the public. Verify the S3 object configurations.'
queryPeriod: 1h
name: S3 object publicly exposed
requiredDataConnectors:
- connectorId: AWS
dataTypes:
- AWSCloudTrail
status: Available
triggerOperator: gt
queryFrequency: 1h
kind: Scheduled
