Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. AWS Security Hub - Detect CloudTrail trails lacking KMS encryption

AWS Security Hub - Detect CloudTrail trails lacking KMS encryption

Back
Id9c2f6c3b-7fd8-4c5a-9d9d-3c4f9e6a7b21
RulenameAWS Security Hub - Detect CloudTrail trails lacking KMS encryption
DescriptionThis query detects AWS CloudTrail trails that are not configured to use server-side encryption with a customer managed KMS key using AWS Security Hub control CloudTrail.2 findings.

Unencrypted CloudTrail logs increase the risk of unauthorized access to sensitive audit data at rest.
SeverityMedium
TacticsImpact
DefenseEvasion
TechniquesT1565.001
T1562.008
Required data connectorsAWSSecurityHub
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/CloudTrailTrailEncryptionDisabled.yaml
Version1.0.0
Arm template9c2f6c3b-7fd8-4c5a-9d9d-3c4f9e6a7b21.json
Deploy To Azure
AWSSecurityHubFindings
| where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
| where tostring(AwsSecurityFindingGeneratorId) == "security-control/CloudTrail.2"
  or tostring(ComplianceSecurityControlId) == "CloudTrail.2"
| mv-expand Resource = Resources
| where tostring(Resource.Type) == "AwsCloudTrailTrail"
| extend TrailId = tostring(Resource.Id)
| summarize TimeGenerated = max(TimeGenerated)
    by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,
       AwsSecurityFindingId, ComplianceSecurityControlId, TrailId

kind: Scheduled
customDetails:
  ComplianceControlId: ComplianceSecurityControlId
  FindingId: AwsSecurityFindingId
  Region: AwsRegion
alertDetailsOverride:
  alertDisplayNameFormat: AWS CloudTrail trail {{TrailId}} lacks KMS encryption
  alertDescriptionFormat: AWS CloudTrail trail ({{TrailId}}) lacks customer-managed KMS encryption for Account {{AwsAccountId}}.
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AwsAccountId
    identifier: Name
  - columnName: AwsAccountId
    identifier: CloudAppAccountId
- entityType: CloudApplication
  fieldMappings:
  - columnName: TrailId
    identifier: Name
description: |
  This query detects AWS CloudTrail trails that are not configured to use server-side encryption with a customer managed KMS key using AWS Security Hub control CloudTrail.2 findings. 
  Unencrypted CloudTrail logs increase the risk of unauthorized access to sensitive audit data at rest.  
severity: Medium
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1565.001
- T1562.008
tags:
- CIS AWS Foundations Benchmark v1.4.0
- CIS AWS Foundations Benchmark v1.2.0
- NIST 800-53 r5
- PCI DSS v3.2.1
status: Available
tactics:
- Impact
- DefenseEvasion
name: AWS Security Hub - Detect CloudTrail trails lacking KMS encryption
id: 9c2f6c3b-7fd8-4c5a-9d9d-3c4f9e6a7b21
query: |
  AWSSecurityHubFindings
  | where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
  | where tostring(AwsSecurityFindingGeneratorId) == "security-control/CloudTrail.2"
    or tostring(ComplianceSecurityControlId) == "CloudTrail.2"
  | mv-expand Resource = Resources
  | where tostring(Resource.Type) == "AwsCloudTrailTrail"
  | extend TrailId = tostring(Resource.Id)
  | summarize TimeGenerated = max(TimeGenerated)
      by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,
         AwsSecurityFindingId, ComplianceSecurityControlId, TrailId  
requiredDataConnectors:
- dataTypes:
  - AWSSecurityHubFindings
  connectorId: AWSSecurityHub
version: 1.0.0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/CloudTrailTrailEncryptionDisabled.yaml
queryPeriod: 1h

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9c2f6c3b-7fd8-4c5a-9d9d-3c4f9e6a7b21')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9c2f6c3b-7fd8-4c5a-9d9d-3c4f9e6a7b21')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "AWS CloudTrail trail ({{TrailId}}) lacks customer-managed KMS encryption for Account {{AwsAccountId}}.",
          "alertDisplayNameFormat": "AWS CloudTrail trail {{TrailId}} lacks KMS encryption"
        },
        "alertRuleTemplateName": "9c2f6c3b-7fd8-4c5a-9d9d-3c4f9e6a7b21",
        "customDetails": {
          "ComplianceControlId": "ComplianceSecurityControlId",
          "FindingId": "AwsSecurityFindingId",
          "Region": "AwsRegion"
        },
        "description": "This query detects AWS CloudTrail trails that are not configured to use server-side encryption with a customer managed KMS key using AWS Security Hub control CloudTrail.2 findings. \nUnencrypted CloudTrail logs increase the risk of unauthorized access to sensitive audit data at rest.\n",
        "displayName": "AWS Security Hub - Detect CloudTrail trails lacking KMS encryption",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AwsAccountId",
                "identifier": "Name"
              },
              {
                "columnName": "AwsAccountId",
                "identifier": "CloudAppAccountId"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "TrailId",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/CloudTrailTrailEncryptionDisabled.yaml",
        "query": "AWSSecurityHubFindings\n| where RecordState == \"ACTIVE\" and ComplianceStatus == \"FAILED\"\n| where tostring(AwsSecurityFindingGeneratorId) == \"security-control/CloudTrail.2\"\n  or tostring(ComplianceSecurityControlId) == \"CloudTrail.2\"\n| mv-expand Resource = Resources\n| where tostring(Resource.Type) == \"AwsCloudTrailTrail\"\n| extend TrailId = tostring(Resource.Id)\n| summarize TimeGenerated = max(TimeGenerated)\n    by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,\n       AwsSecurityFindingId, ComplianceSecurityControlId, TrailId\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [
          "T1565.001",
          "T1562.008"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "Impact"
        ],
        "tags": [
          "CIS AWS Foundations Benchmark v1.4.0",
          "CIS AWS Foundations Benchmark v1.2.0",
          "NIST 800-53 r5",
          "PCI DSS v3.2.1"
        ],
        "techniques": [
          "T1562",
          "T1565"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}