Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. AWSCloudTrail - S3 Object Exfiltration from Anonymous User

AWSCloudTrail - S3 Object Exfiltration from Anonymous User

Back
Id15d3bf4e-8708-41c8-a836-8b0aa5be730e
RulenameAWSCloudTrail - S3 Object Exfiltration from Anonymous User
DescriptionDetects S3 GetObject activity performed by anonymous principals, which can indicate unauthorized object access

and potential data exfiltration from public or misconfigured buckets.
SeverityMedium
TacticsCollection
TechniquesT1530
Required data connectorsAWS
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_S3ObjectExfiltrationByAnonymousUser.yaml
Version1.0.1
Arm template15d3bf4e-8708-41c8-a836-8b0aa5be730e.json
Deploy To Azure
AWSCloudTrail
| where ((UserIdentityAccountId =~ @'ANONYMOUS_PRINCIPAL' or UserIdentityPrincipalid == "Anonymous") and EventName == 'GetObject')
| extend
   BucketName = parse_json(RequestParameters).bucketName,
   ObjectKey = parse_json(RequestParameters).key
| extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
| extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]

entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: Name
  - identifier: UPNSuffix
    columnName: UpnSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIpAddress
tactics:
- Collection
requiredDataConnectors:
- dataTypes:
  - AWSCloudTrail
  connectorId: AWS
alertDetailsOverride:
  alertDisplayNameFormat: AWS S3 object access by anonymous principal in bucket {{BucketName}}
  alertDescriptionFormat: Detected anonymous GetObject activity for bucket {{BucketName}} and object {{ObjectKey}} from {{SourceIpAddress}}.
id: 15d3bf4e-8708-41c8-a836-8b0aa5be730e
severity: Medium
status: Available
customDetails:
  ObjectKey: ObjectKey
  BucketName: BucketName
query: |
  AWSCloudTrail
  | where ((UserIdentityAccountId =~ @'ANONYMOUS_PRINCIPAL' or UserIdentityPrincipalid == "Anonymous") and EventName == 'GetObject')
  | extend
     BucketName = parse_json(RequestParameters).bucketName,
     ObjectKey = parse_json(RequestParameters).key
  | extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
  | extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_S3ObjectExfiltrationByAnonymousUser.yaml
kind: Scheduled
queryPeriod: 5m
version: 1.0.1
name: AWSCloudTrail - S3 Object Exfiltration from Anonymous User
queryFrequency: 5m
triggerThreshold: 0
relevantTechniques:
- T1530
description: |
  Detects S3 GetObject activity performed by anonymous principals, which can indicate unauthorized object access
  and potential data exfiltration from public or misconfigured buckets.  
triggerOperator: gt