Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

User IAM Enumeration

Back
Idcfaaf0bc-16d1-48df-ac8b-9d901bbd516a
RulenameUser IAM Enumeration
DescriptionDetects enumeration of accounts configuration via api call to list different instances and services within a short period of time. WL Scanner of Cloud Account such as Wiz and threshold can be adjusted
SeverityMedium
TacticsDiscovery
TechniquesT1580
Required data connectorsAWS
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_UserIAMEnumeration.yaml
Version1.0.0
Arm templatecfaaf0bc-16d1-48df-ac8b-9d901bbd516a.json
Deploy To Azure
let threshold = 50; 
AWSCloudTrail
| where EventName in ("ListAttachedRolePolicies","ListRoles","ListGroupsForUser","ListAttachedUserPolicies","ListAccessKeys","ListUsers")
| summarize
    count(),
    make_set(AWSRegion),
    make_set(UserAgent),
    make_set(SourceIpAddress),
    make_set(ErrorCode),
    make_set(ErrorMessage),
    make_set(EventName)
    by bin(TimeGenerated, 10m), UserIdentityPrincipalid, UserIdentityArn, UserIdentityAccountId
| where count_ > threshold
| mv-expand set_SourceIpAddress
| extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
| extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]
tactics:
- Discovery
name: User IAM Enumeration
id: cfaaf0bc-16d1-48df-ac8b-9d901bbd516a
requiredDataConnectors:
- connectorId: AWS
  dataTypes:
  - AWSCloudTrail
query: |
  let threshold = 50; 
  AWSCloudTrail
  | where EventName in ("ListAttachedRolePolicies","ListRoles","ListGroupsForUser","ListAttachedUserPolicies","ListAccessKeys","ListUsers")
  | summarize
      count(),
      make_set(AWSRegion),
      make_set(UserAgent),
      make_set(SourceIpAddress),
      make_set(ErrorCode),
      make_set(ErrorMessage),
      make_set(EventName)
      by bin(TimeGenerated, 10m), UserIdentityPrincipalid, UserIdentityArn, UserIdentityAccountId
  | where count_ > threshold
  | mv-expand set_SourceIpAddress
  | extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
  | extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]  
relevantTechniques:
- T1580
description: |
    'Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time. WL Scanner of Cloud Account such as Wiz and threshold can be adjusted'
triggerOperator: gt
queryPeriod: 10m
severity: Medium
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: Name
  - identifier: UPNSuffix
    columnName: UpnSuffix
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: set_SourceIpAddress
  entityType: IP
version: 1.0.0
triggerThreshold: 0
kind: Scheduled
queryFrequency: 10m
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_UserIAMEnumeration.yaml
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cfaaf0bc-16d1-48df-ac8b-9d901bbd516a')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cfaaf0bc-16d1-48df-ac8b-9d901bbd516a')]",
      "properties": {
        "alertRuleTemplateName": "cfaaf0bc-16d1-48df-ac8b-9d901bbd516a",
        "customDetails": null,
        "description": "'Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time. WL Scanner of Cloud Account such as Wiz and threshold can be adjusted'\n",
        "displayName": "User IAM Enumeration",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UpnSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "set_SourceIpAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_UserIAMEnumeration.yaml",
        "query": "let threshold = 50; \nAWSCloudTrail\n| where EventName in (\"ListAttachedRolePolicies\",\"ListRoles\",\"ListGroupsForUser\",\"ListAttachedUserPolicies\",\"ListAccessKeys\",\"ListUsers\")\n| summarize\n    count(),\n    make_set(AWSRegion),\n    make_set(UserAgent),\n    make_set(SourceIpAddress),\n    make_set(ErrorCode),\n    make_set(ErrorMessage),\n    make_set(EventName)\n    by bin(TimeGenerated, 10m), UserIdentityPrincipalid, UserIdentityArn, UserIdentityAccountId\n| where count_ > threshold\n| mv-expand set_SourceIpAddress\n| extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, \":\") + 1)\n| extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT10M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery"
        ],
        "techniques": [
          "T1580"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}