User IAM Enumeration

let threshold = 50; 
AWSCloudTrail
| where EventName in ("ListAttachedRolePolicies","ListRoles","ListGroupsForUser","ListAttachedUserPolicies","ListAccessKeys","ListUsers")
| summarize
    count(),
    make_set(AWSRegion),
    make_set(UserAgent),
    make_set(SourceIpAddress),
    make_set(ErrorCode),
    make_set(ErrorMessage),
    make_set(EventName)
    by bin(TimeGenerated, 10m), UserIdentityPrincipalid, UserIdentityArn, UserIdentityAccountId
| where count_ > threshold
| mv-expand set_SourceIpAddress
| extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
| extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]

tactics:
- Discovery
id: cfaaf0bc-16d1-48df-ac8b-9d901bbd516a
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_UserIAMEnumeration.yaml
status: Available
description: |
    'Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time. WL Scanner of Cloud Account such as Wiz and threshold can be adjusted'
version: 1.0.0
severity: Medium
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: Name
  - identifier: UPNSuffix
    columnName: UpnSuffix
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: set_SourceIpAddress
  entityType: IP
kind: Scheduled
name: User IAM Enumeration
query: |
  let threshold = 50; 
  AWSCloudTrail
  | where EventName in ("ListAttachedRolePolicies","ListRoles","ListGroupsForUser","ListAttachedUserPolicies","ListAccessKeys","ListUsers")
  | summarize
      count(),
      make_set(AWSRegion),
      make_set(UserAgent),
      make_set(SourceIpAddress),
      make_set(ErrorCode),
      make_set(ErrorMessage),
      make_set(EventName)
      by bin(TimeGenerated, 10m), UserIdentityPrincipalid, UserIdentityArn, UserIdentityAccountId
  | where count_ > threshold
  | mv-expand set_SourceIpAddress
  | extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
  | extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]  
queryPeriod: 10m
queryFrequency: 10m
triggerOperator: gt
requiredDataConnectors:
- connectorId: AWS
  dataTypes:
  - AWSCloudTrail
relevantTechniques:
- T1580