Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. S3 Object Exfiltration from Anonymous User

S3 Object Exfiltration from Anonymous User

Back
Id15d3bf4e-8708-41c8-a836-8b0aa5be730e
RulenameS3 Object Exfiltration from Anonymous User
DescriptionIdentify attempted exfiltration of S3 Bucket objects by an anonymous User
SeverityMedium
TacticsCollection
TechniquesT1530
Required data connectorsAWS
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_S3ObjectExfiltrationByAnonymousUser.yaml
Version1.0.0
Arm template15d3bf4e-8708-41c8-a836-8b0aa5be730e.json
Deploy To Azure
AWSCloudTrail
| where ((UserIdentityAccountId =~ @'ANONYMOUS_PRINCIPAL' or UserIdentityPrincipalid == "Anonymous") and EventName == 'GetObject')
| extend
   BucketName = parse_json(RequestParameters).bucketName,
   ObjectKey = parse_json(RequestParameters).key
| extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
| extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]

triggerOperator: gt
description: |
    'Identify attempted exfiltration of S3 Bucket objects by an anonymous User'
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: Name
  - identifier: UPNSuffix
    columnName: UpnSuffix
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: SourceIpAddress
  entityType: IP
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_S3ObjectExfiltrationByAnonymousUser.yaml
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - AWSCloudTrail
  connectorId: AWS
tactics:
- Collection
relevantTechniques:
- T1530
query: |
  AWSCloudTrail
  | where ((UserIdentityAccountId =~ @'ANONYMOUS_PRINCIPAL' or UserIdentityPrincipalid == "Anonymous") and EventName == 'GetObject')
  | extend
     BucketName = parse_json(RequestParameters).bucketName,
     ObjectKey = parse_json(RequestParameters).key
  | extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
  | extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]  
id: 15d3bf4e-8708-41c8-a836-8b0aa5be730e
status: Available
severity: Medium
name: S3 Object Exfiltration from Anonymous User
version: 1.0.0
queryFrequency: 5m
queryPeriod: 5m
kind: Scheduled

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/15d3bf4e-8708-41c8-a836-8b0aa5be730e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/15d3bf4e-8708-41c8-a836-8b0aa5be730e')]",
      "properties": {
        "alertRuleTemplateName": "15d3bf4e-8708-41c8-a836-8b0aa5be730e",
        "customDetails": null,
        "description": "'Identify attempted exfiltration of S3 Bucket objects by an anonymous User'\n",
        "displayName": "S3 Object Exfiltration from Anonymous User",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UpnSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIpAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_S3ObjectExfiltrationByAnonymousUser.yaml",
        "query": "AWSCloudTrail\n| where ((UserIdentityAccountId =~ @'ANONYMOUS_PRINCIPAL' or UserIdentityPrincipalid == \"Anonymous\") and EventName == 'GetObject')\n| extend\n   BucketName = parse_json(RequestParameters).bucketName,\n   ObjectKey = parse_json(RequestParameters).key\n| extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, \":\") + 1)\n| extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection"
        ],
        "techniques": [
          "T1530"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}