AWSCloudTrail - Policy version set to default
| Id | 874a1762-3fd7-4489-b411-6d4a9e9e8a59 |
| Rulename | AWSCloudTrail - Policy version set to default |
| Description | Detects SetDefaultPolicyVersion activity that makes a different IAM policy version active. Attackers can use this to activate previously created permissive versions and escalate access. |
| Severity | Medium |
| Tactics | PrivilegeEscalation |
| Techniques | T1098.003 |
| Required data connectors | AWS |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_SetDefaulyPolicyVersion.yaml |
| Version | 1.0.2 |
| Arm template | 874a1762-3fd7-4489-b411-6d4a9e9e8a59.json |
AWSCloudTrail
| where EventName == "SetDefaultPolicyVersion" and isempty(ErrorCode) and isempty(ErrorMessage)
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
name: AWSCloudTrail - Policy version set to default
requiredDataConnectors:
- dataTypes:
- AWSCloudTrail
connectorId: AWS
queryPeriod: 1h
relevantTechniques:
- T1098.003
tactics:
- PrivilegeEscalation
alertDetailsOverride:
alertDescriptionFormat: Detected SetDefaultPolicyVersion from {{SourceIpAddress}} in account {{RecipientAccountId}}.
alertDisplayNameFormat: AWS IAM default policy version changed by {{AccountName}}
id: 874a1762-3fd7-4489-b411-6d4a9e9e8a59
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_SetDefaulyPolicyVersion.yaml
kind: Scheduled
query: |
AWSCloudTrail
| where EventName == "SetDefaultPolicyVersion" and isempty(ErrorCode) and isempty(ErrorMessage)
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
version: 1.0.2
entityMappings:
- fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- identifier: CloudAppAccountId
columnName: RecipientAccountId
entityType: Account
- fieldMappings:
- identifier: Address
columnName: SourceIpAddress
entityType: IP
triggerOperator: gt
description: |
Detects SetDefaultPolicyVersion activity that makes a different IAM policy version active.
Attackers can use this to activate previously created permissive versions and escalate access.
triggerThreshold: 0
queryFrequency: 1h
status: Available
severity: Medium
customDetails:
EventName: EventName
UserIdentityArn: UserIdentityArn
AWSRegion: AWSRegion
EventSource: EventSource