Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. AWSCloudTrail - Policy version set to default

AWSCloudTrail - Policy version set to default

Back
Id874a1762-3fd7-4489-b411-6d4a9e9e8a59
RulenameAWSCloudTrail - Policy version set to default
DescriptionDetects SetDefaultPolicyVersion activity that makes a different IAM policy version active.

Attackers can use this to activate previously created permissive versions and escalate access.
SeverityMedium
TacticsPrivilegeEscalation
TechniquesT1098.003
Required data connectorsAWS
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_SetDefaulyPolicyVersion.yaml
Version1.0.2
Arm template874a1762-3fd7-4489-b411-6d4a9e9e8a59.json
Deploy To Azure
AWSCloudTrail
| where EventName == "SetDefaultPolicyVersion" and isempty(ErrorCode) and isempty(ErrorMessage)
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
  AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")

entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
  - identifier: CloudAppAccountId
    columnName: RecipientAccountId
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIpAddress
tactics:
- PrivilegeEscalation
requiredDataConnectors:
- dataTypes:
  - AWSCloudTrail
  connectorId: AWS
alertDetailsOverride:
  alertDisplayNameFormat: AWS IAM default policy version changed by {{AccountName}}
  alertDescriptionFormat: Detected SetDefaultPolicyVersion from {{SourceIpAddress}} in account {{RecipientAccountId}}.
id: 874a1762-3fd7-4489-b411-6d4a9e9e8a59
severity: Medium
status: Available
customDetails:
  AWSRegion: AWSRegion
  UserIdentityArn: UserIdentityArn
  EventSource: EventSource
  EventName: EventName
query: |
  AWSCloudTrail
  | where EventName == "SetDefaultPolicyVersion" and isempty(ErrorCode) and isempty(ErrorMessage)
  | extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
  | extend UserName = tostring(split(UserIdentityArn, '/')[-1])
  | extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
  | extend AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
    AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_SetDefaulyPolicyVersion.yaml
kind: Scheduled
queryPeriod: 1h
version: 1.0.2
name: AWSCloudTrail - Policy version set to default
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1098.003
description: |
  Detects SetDefaultPolicyVersion activity that makes a different IAM policy version active.
  Attackers can use this to activate previously created permissive versions and escalate access.  
triggerOperator: gt