Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

AWS Security Hub - Detect SSM documents public sharing enabled

Back
Id0aa20f8c-b8e4-4a34-a5b8-8b2d9dd7d1c2
RulenameAWS Security Hub - Detect SSM documents public sharing enabled
DescriptionThis query detects AWS accounts where public sharing is enabled, using AWS Security Hub control SSM.7 findings.

Allowing public sharing of SSM documents can expose automation content and enable unauthorized execution or tampering.
SeverityHigh
TacticsExecution
TechniquesT1059
Required data connectorsAWSSecurityHub
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/SSMDocumentsPublicSharingEnabled.yaml
Version1.0.0
Arm template0aa20f8c-b8e4-4a34-a5b8-8b2d9dd7d1c2.json
Deploy To Azure
AWSSecurityHubFindings
| where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
| where tostring(AwsSecurityFindingGeneratorId) == "security-control/SSM.7"
      or tostring(ComplianceSecurityControlId) == "SSM.7"
| summarize TimeGenerated = max(TimeGenerated)
    by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,
       AwsSecurityFindingId, ComplianceSecurityControlId
tactics:
- Execution
name: AWS Security Hub - Detect SSM documents public sharing enabled
id: 0aa20f8c-b8e4-4a34-a5b8-8b2d9dd7d1c2
requiredDataConnectors:
- connectorId: AWSSecurityHub
  dataTypes:
  - AWSSecurityHubFindings
query: |
  AWSSecurityHubFindings
  | where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
  | where tostring(AwsSecurityFindingGeneratorId) == "security-control/SSM.7"
        or tostring(ComplianceSecurityControlId) == "SSM.7"
  | summarize TimeGenerated = max(TimeGenerated)
      by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,
         AwsSecurityFindingId, ComplianceSecurityControlId  
relevantTechniques:
- T1059
description: |
  This query detects AWS accounts where public sharing is enabled, using AWS Security Hub control SSM.7 findings.
  Allowing public sharing of SSM documents can expose automation content and enable unauthorized execution or tampering.  
triggerOperator: gt
queryPeriod: 1h
severity: High
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AwsAccountId
  - identifier: CloudAppAccountId
    columnName: AwsAccountId
  entityType: Account
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/SSMDocumentsPublicSharingEnabled.yaml
version: 1.0.0
alertDetailsOverride:
  alertDisplayNameFormat: AWS Account {{AwsAccountId}} SSM documents public sharing enabled
  alertDescriptionFormat: AWS Account {{AwsAccountId}} has SSM documents with public sharing enabled. Disable public sharing setting to prevent unintended exposure of automation documents.
triggerThreshold: 0
tags:
- AWS Foundational Security Best Practices v1.0.0
kind: Scheduled
queryFrequency: 1h
status: Available
customDetails:
  ComplianceControlId: ComplianceSecurityControlId
  Region: AwsRegion
  FindingId: AwsSecurityFindingId
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0aa20f8c-b8e4-4a34-a5b8-8b2d9dd7d1c2')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0aa20f8c-b8e4-4a34-a5b8-8b2d9dd7d1c2')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "AWS Account {{AwsAccountId}} has SSM documents with public sharing enabled. Disable public sharing setting to prevent unintended exposure of automation documents.",
          "alertDisplayNameFormat": "AWS Account {{AwsAccountId}} SSM documents public sharing enabled"
        },
        "alertRuleTemplateName": "0aa20f8c-b8e4-4a34-a5b8-8b2d9dd7d1c2",
        "customDetails": {
          "ComplianceControlId": "ComplianceSecurityControlId",
          "FindingId": "AwsSecurityFindingId",
          "Region": "AwsRegion"
        },
        "description": "This query detects AWS accounts where public sharing is enabled, using AWS Security Hub control SSM.7 findings.\nAllowing public sharing of SSM documents can expose automation content and enable unauthorized execution or tampering.\n",
        "displayName": "AWS Security Hub - Detect SSM documents public sharing enabled",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AwsAccountId",
                "identifier": "Name"
              },
              {
                "columnName": "AwsAccountId",
                "identifier": "CloudAppAccountId"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/SSMDocumentsPublicSharingEnabled.yaml",
        "query": "AWSSecurityHubFindings\n| where RecordState == \"ACTIVE\" and ComplianceStatus == \"FAILED\"\n| where tostring(AwsSecurityFindingGeneratorId) == \"security-control/SSM.7\"\n      or tostring(ComplianceSecurityControlId) == \"SSM.7\"\n| summarize TimeGenerated = max(TimeGenerated)\n    by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,\n       AwsSecurityFindingId, ComplianceSecurityControlId\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "tags": [
          "AWS Foundational Security Best Practices v1.0.0"
        ],
        "techniques": [
          "T1059"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}