Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. S3 Object Exfiltration from Anonymous User

S3 Object Exfiltration from Anonymous User

Back
Id15d3bf4e-8708-41c8-a836-8b0aa5be730e
RulenameS3 Object Exfiltration from Anonymous User
DescriptionIdentify attempted exfiltration of S3 Bucket objects by an anonymous User
SeverityMedium
TacticsCollection
TechniquesT1530
Required data connectorsAWS
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_S3ObjectExfiltrationByAnonymousUser.yaml
Version1.0.0
Arm template15d3bf4e-8708-41c8-a836-8b0aa5be730e.json
Deploy To Azure
AWSCloudTrail
| where ((UserIdentityAccountId =~ @'ANONYMOUS_PRINCIPAL' or UserIdentityPrincipalid == "Anonymous") and EventName == 'GetObject')
| extend
   BucketName = parse_json(RequestParameters).bucketName,
   ObjectKey = parse_json(RequestParameters).key
| extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
| extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]

kind: Scheduled
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: Name
    identifier: Name
  - columnName: UpnSuffix
    identifier: UPNSuffix
- entityType: IP
  fieldMappings:
  - columnName: SourceIpAddress
    identifier: Address
description: |
    'Identify attempted exfiltration of S3 Bucket objects by an anonymous User'
severity: Medium
queryFrequency: 5m
triggerThreshold: 0
relevantTechniques:
- T1530
status: Available
tactics:
- Collection
name: S3 Object Exfiltration from Anonymous User
id: 15d3bf4e-8708-41c8-a836-8b0aa5be730e
query: |
  AWSCloudTrail
  | where ((UserIdentityAccountId =~ @'ANONYMOUS_PRINCIPAL' or UserIdentityPrincipalid == "Anonymous") and EventName == 'GetObject')
  | extend
     BucketName = parse_json(RequestParameters).bucketName,
     ObjectKey = parse_json(RequestParameters).key
  | extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
  | extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]  
requiredDataConnectors:
- dataTypes:
  - AWSCloudTrail
  connectorId: AWS
version: 1.0.0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_S3ObjectExfiltrationByAnonymousUser.yaml
queryPeriod: 5m

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/15d3bf4e-8708-41c8-a836-8b0aa5be730e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/15d3bf4e-8708-41c8-a836-8b0aa5be730e')]",
      "properties": {
        "alertRuleTemplateName": "15d3bf4e-8708-41c8-a836-8b0aa5be730e",
        "customDetails": null,
        "description": "'Identify attempted exfiltration of S3 Bucket objects by an anonymous User'\n",
        "displayName": "S3 Object Exfiltration from Anonymous User",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UpnSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIpAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_S3ObjectExfiltrationByAnonymousUser.yaml",
        "query": "AWSCloudTrail\n| where ((UserIdentityAccountId =~ @'ANONYMOUS_PRINCIPAL' or UserIdentityPrincipalid == \"Anonymous\") and EventName == 'GetObject')\n| extend\n   BucketName = parse_json(RequestParameters).bucketName,\n   ObjectKey = parse_json(RequestParameters).key\n| extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, \":\") + 1)\n| extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection"
        ],
        "techniques": [
          "T1530"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}