Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Creation of Access Key for IAM User

Creation of Access Key for IAM User

Back
Id9a6554e6-63d9-4f94-9b32-64d1d40628f2
RulenameCreation of Access Key for IAM User
DescriptionEstablishes persistence by creating an access key on an existing IAM user. This type of action should be validated by Account Admin of AWS Account. Ref : https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-backdoor-user/
SeverityMedium
TacticsPersistence
TechniquesT1098
Required data connectorsAWS
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_UserAccessKeyCreated.yaml
Version1.0.1
Arm template9a6554e6-63d9-4f94-9b32-64d1d40628f2.json
Deploy To Azure
AWSCloudTrail
| where EventName == "CreateAccessKey" 
| project-away SourceSystem,Category,Type,TenantId,EventVersion,SessionIssuerAccountId
| extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
| extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]

version: 1.0.1
severity: Medium
relevantTechniques:
- T1098
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
  - AWSCloudTrail
  connectorId: AWS
queryFrequency: 15m
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - columnName: Name
    identifier: Name
  - columnName: UpnSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: SourceIpAddress
    identifier: Address
  entityType: IP
id: 9a6554e6-63d9-4f94-9b32-64d1d40628f2
status: Available
description: |
    'Establishes persistence by creating an access key on an existing IAM user. This type of action should be validated by Account Admin of AWS Account. Ref : https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-backdoor-user/'
name: Creation of Access Key for IAM User
query: |
  AWSCloudTrail
  | where EventName == "CreateAccessKey" 
  | project-away SourceSystem,Category,Type,TenantId,EventVersion,SessionIssuerAccountId
  | extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
  | extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]  
queryPeriod: 15m
tactics:
- Persistence
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_UserAccessKeyCreated.yaml