Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. AWSCloudTrail - S3 Object Exfiltration from Anonymous User

AWSCloudTrail - S3 Object Exfiltration from Anonymous User

Back
Id15d3bf4e-8708-41c8-a836-8b0aa5be730e
RulenameAWSCloudTrail - S3 Object Exfiltration from Anonymous User
DescriptionDetects S3 GetObject activity performed by anonymous principals, which can indicate unauthorized object access

and potential data exfiltration from public or misconfigured buckets.
SeverityMedium
TacticsCollection
TechniquesT1530
Required data connectorsAWS
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_S3ObjectExfiltrationByAnonymousUser.yaml
Version1.0.1
Arm template15d3bf4e-8708-41c8-a836-8b0aa5be730e.json
Deploy To Azure
AWSCloudTrail
| where ((UserIdentityAccountId =~ @'ANONYMOUS_PRINCIPAL' or UserIdentityPrincipalid == "Anonymous") and EventName == 'GetObject')
| extend
   BucketName = parse_json(RequestParameters).bucketName,
   ObjectKey = parse_json(RequestParameters).key
| extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
| extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]

status: Available
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: gt
query: |
  AWSCloudTrail
  | where ((UserIdentityAccountId =~ @'ANONYMOUS_PRINCIPAL' or UserIdentityPrincipalid == "Anonymous") and EventName == 'GetObject')
  | extend
     BucketName = parse_json(RequestParameters).bucketName,
     ObjectKey = parse_json(RequestParameters).key
  | extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
  | extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_S3ObjectExfiltrationByAnonymousUser.yaml
tactics:
- Collection
triggerThreshold: 0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: Name
  - identifier: UPNSuffix
    columnName: UpnSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIpAddress
requiredDataConnectors:
- connectorId: AWS
  dataTypes:
  - AWSCloudTrail
alertDetailsOverride:
  alertDescriptionFormat: Detected anonymous GetObject activity for bucket {{BucketName}} and object {{ObjectKey}} from {{SourceIpAddress}}.
  alertDisplayNameFormat: AWS S3 object access by anonymous principal in bucket {{BucketName}}
relevantTechniques:
- T1530
customDetails:
  BucketName: BucketName
  ObjectKey: ObjectKey
description: |
  Detects S3 GetObject activity performed by anonymous principals, which can indicate unauthorized object access
  and potential data exfiltration from public or misconfigured buckets.  
name: AWSCloudTrail - S3 Object Exfiltration from Anonymous User
version: 1.0.1
kind: Scheduled
id: 15d3bf4e-8708-41c8-a836-8b0aa5be730e
severity: Medium