AWSCloudTrail
| where EventName == "ModifyDocumentPermission" and isempty(ErrorCode) and isempty(ErrorMessage)
| where todynamic(parse_json(RequestParameters).["accountIdsToAdd"]) == '["all"]'
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
| project TimeGenerated, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,UserIdentityUserName, SessionMfaAuthenticated, RecipientAccountId, AccountName, AccountUPNSuffix, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, RequestParameters, ResponseElements, UserIdentityArn
status: Available
alertDetailsOverride:
alertDisplayNameFormat: SSM document publicly exposed by {{AccountName}} in {{AWSRegion}}
alertDescriptionFormat: User {{AccountName}} modified SSM document permissions to expose it publicly from {{SourceIpAddress}} in region {{AWSRegion}}.
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_SSMPubliclyExposed.yaml
triggerOperator: gt
description: |
Detects an AWS Systems Manager (SSM) document that has been made publicly accessible, which could lead to sensitive information exposure. Verify the document configurations and confirm the change was authorized.
kind: Scheduled
version: 1.0.2
tactics:
- Discovery
entityMappings:
- fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- identifier: CloudAppAccountId
columnName: RecipientAccountId
entityType: Account
- fieldMappings:
- identifier: Address
columnName: SourceIpAddress
entityType: IP
name: AWSCloudTrail - SSM document is publicly exposed
triggerThreshold: 0
customDetails:
AWSRegion: AWSRegion
RequestParameters: RequestParameters
EventName: EventName
UserAgent: UserAgent
id: 75647b58-bcc8-4eb5-9658-46698d3fa153
queryPeriod: 1d
requiredDataConnectors:
- dataTypes:
- AWSCloudTrail
connectorId: AWS
relevantTechniques:
- T1526
severity: Medium
queryFrequency: 1d
query: |
AWSCloudTrail
| where EventName == "ModifyDocumentPermission" and isempty(ErrorCode) and isempty(ErrorMessage)
| where todynamic(parse_json(RequestParameters).["accountIdsToAdd"]) == '["all"]'
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
| project TimeGenerated, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,UserIdentityUserName, SessionMfaAuthenticated, RecipientAccountId, AccountName, AccountUPNSuffix, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, RequestParameters, ResponseElements, UserIdentityArn
