Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Creation of Access Key for IAM User

Back
Id9a6554e6-63d9-4f94-9b32-64d1d40628f2
RulenameCreation of Access Key for IAM User
DescriptionEstablishes persistence by creating an access key on an existing IAM user. This type of action should be validated by Account Admin of AWS Account. Ref : https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-backdoor-user/
SeverityMedium
TacticsPersistence
TechniquesT1098
Required data connectorsAWS
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_UserAccessKeyCreated.yaml
Version1.0.1
Arm template9a6554e6-63d9-4f94-9b32-64d1d40628f2.json
Deploy To Azure
AWSCloudTrail
| where EventName == "CreateAccessKey" 
| project-away SourceSystem,Category,Type,TenantId,EventVersion,SessionIssuerAccountId
| extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
| extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]
entityMappings:
- fieldMappings:
  - columnName: Name
    identifier: Name
  - columnName: UpnSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: SourceIpAddress
    identifier: Address
  entityType: IP
triggerThreshold: 0
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_UserAccessKeyCreated.yaml
queryFrequency: 15m
status: Available
relevantTechniques:
- T1098
triggerOperator: gt
id: 9a6554e6-63d9-4f94-9b32-64d1d40628f2
requiredDataConnectors:
- connectorId: AWS
  dataTypes:
  - AWSCloudTrail
version: 1.0.1
name: Creation of Access Key for IAM User
description: |
    'Establishes persistence by creating an access key on an existing IAM user. This type of action should be validated by Account Admin of AWS Account. Ref : https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-backdoor-user/'
query: |
  AWSCloudTrail
  | where EventName == "CreateAccessKey" 
  | project-away SourceSystem,Category,Type,TenantId,EventVersion,SessionIssuerAccountId
  | extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
  | extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]  
tactics:
- Persistence
queryPeriod: 15m
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9a6554e6-63d9-4f94-9b32-64d1d40628f2')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9a6554e6-63d9-4f94-9b32-64d1d40628f2')]",
      "properties": {
        "alertRuleTemplateName": "9a6554e6-63d9-4f94-9b32-64d1d40628f2",
        "customDetails": null,
        "description": "'Establishes persistence by creating an access key on an existing IAM user. This type of action should be validated by Account Admin of AWS Account. Ref : https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-backdoor-user/'\n",
        "displayName": "Creation of Access Key for IAM User",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UpnSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIpAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_UserAccessKeyCreated.yaml",
        "query": "AWSCloudTrail\n| where EventName == \"CreateAccessKey\" \n| project-away SourceSystem,Category,Type,TenantId,EventVersion,SessionIssuerAccountId\n| extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, \":\") + 1)\n| extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1098"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}