Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. AWSCloudTrail - Creation of Access Key for IAM User

AWSCloudTrail - Creation of Access Key for IAM User

Back
Id9a6554e6-63d9-4f94-9b32-64d1d40628f2
RulenameAWSCloudTrail - Creation of Access Key for IAM User
DescriptionDetects creation of a new IAM access key on an existing user account, which could be used to establish persistence. This action should be validated by the AWS account administrator. Reference: https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-backdoor-user/
SeverityMedium
TacticsPersistence
TechniquesT1098.001
Required data connectorsAWS
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_UserAccessKeyCreated.yaml
Version1.0.2
Arm template9a6554e6-63d9-4f94-9b32-64d1d40628f2.json
Deploy To Azure
AWSCloudTrail
| where EventName == "CreateAccessKey" 
| project-away SourceSystem,Category,Type,TenantId,EventVersion,SessionIssuerAccountId
| extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
| extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]

entityMappings:
- fieldMappings:
  - columnName: Name
    identifier: Name
  - columnName: UpnSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: SourceIpAddress
    identifier: Address
  entityType: IP
triggerOperator: gt
tactics:
- Persistence
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_UserAccessKeyCreated.yaml
alertDetailsOverride:
  alertDescriptionFormat: User {{Name}} (principal {{UserIdentityPrincipalid}}) created a new IAM access key in region {{AWSRegion}}.
  alertDisplayNameFormat: IAM access key created by {{Name}} in {{AWSRegion}}
version: 1.0.2
query: |
  AWSCloudTrail
  | where EventName == "CreateAccessKey" 
  | project-away SourceSystem,Category,Type,TenantId,EventVersion,SessionIssuerAccountId
  | extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
  | extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]  
triggerThreshold: 0
relevantTechniques:
- T1098.001
queryPeriod: 15m
status: Available
severity: Medium
kind: Scheduled
customDetails:
  AWSRegion: AWSRegion
  EventName: EventName
  UserAgent: UserAgent
name: AWSCloudTrail - Creation of Access Key for IAM User
queryFrequency: 15m
id: 9a6554e6-63d9-4f94-9b32-64d1d40628f2
description: |
    Detects creation of a new IAM access key on an existing user account, which could be used to establish persistence. This action should be validated by the AWS account administrator. Reference: https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.iam-backdoor-user/
requiredDataConnectors:
- dataTypes:
  - AWSCloudTrail
  connectorId: AWS