Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. AWSCloudTrail - Changes to AWS Security Group ingress and egress settings

AWSCloudTrail - Changes to AWS Security Group ingress and egress settings

Back
Id4f19d4e3-ec5f-4abc-9e61-819eb131758c
RulenameAWSCloudTrail - Changes to AWS Security Group ingress and egress settings
DescriptionA Security Group acts as a virtual firewall for an AWS instance to control inbound and outbound traffic. This rule detects AWS CloudTrail events for changes to Security Group ingress and egress settings.

Investigate to validate the legitimacy of the activity and identify potential malicious activity.
SeverityLow
TacticsDefenseEvasion
TechniquesT1562.007
Required data connectorsAWS
AWSS3
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_IngressEgressSecurityGroupChange.yaml
Version1.0.5
Arm template4f19d4e3-ec5f-4abc-9e61-819eb131758c.json
Deploy To Azure
let EventNameList = dynamic([ "AuthorizeSecurityGroupEgress", "AuthorizeSecurityGroupIngress", "RevokeSecurityGroupEgress", "RevokeSecurityGroupIngress"]);
AWSCloudTrail
| where EventName in~ (EventNameList)
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
  AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated)
by EventSource, EventName, UserIdentityType, RecipientAccountId, AccountName, AccountUPNSuffix, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,
AdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements

entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
  - identifier: CloudAppAccountId
    columnName: RecipientAccountId
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIpAddress
tactics:
- DefenseEvasion
requiredDataConnectors:
- dataTypes:
  - AWSCloudTrail
  connectorId: AWS
- dataTypes:
  - AWSCloudTrail
  connectorId: AWSS3
alertDetailsOverride:
  alertDisplayNameFormat: AWS Security Group ingress/egress change by {{AccountName}} from {{SourceIpAddress}}
  alertDescriptionFormat: AWS Security Group ingress/egress change activity {{EventName}} was detected for {{AccountName}} from {{SourceIpAddress}}.
id: 4f19d4e3-ec5f-4abc-9e61-819eb131758c
severity: Low
status: Available
customDetails:
  UserIdentityType: UserIdentityType
  EventName: EventName
  UserIdentityUserName: UserIdentityUserName
  UserIdentityArn: UserIdentityArn
  AWSRegion: AWSRegion
  UserAgent: UserAgent
query: |
  let EventNameList = dynamic([ "AuthorizeSecurityGroupEgress", "AuthorizeSecurityGroupIngress", "RevokeSecurityGroupEgress", "RevokeSecurityGroupIngress"]);
  AWSCloudTrail
  | where EventName in~ (EventNameList)
  | extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
  | extend UserName = tostring(split(UserIdentityArn, '/')[-1])
  | extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
  | extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
    AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
  | summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated)
  by EventSource, EventName, UserIdentityType, RecipientAccountId, AccountName, AccountUPNSuffix, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,
  AdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_IngressEgressSecurityGroupChange.yaml
kind: Scheduled
queryPeriod: 1d
version: 1.0.5
name: AWSCloudTrail - Changes to AWS Security Group ingress and egress settings
queryFrequency: 1d
triggerThreshold: 0
relevantTechniques:
- T1562.007
description: |
  A Security Group acts as a virtual firewall for an AWS instance to control inbound and outbound traffic. This rule detects AWS CloudTrail events for changes to Security Group ingress and egress settings.
  Investigate to validate the legitimacy of the activity and identify potential malicious activity.  
triggerOperator: gt