User IAM Enumeration
| Id | cfaaf0bc-16d1-48df-ac8b-9d901bbd516a |
| Rulename | User IAM Enumeration |
| Description | Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time. WL Scanner of Cloud Account such as Wiz and threshold can be adjusted |
| Severity | Medium |
| Tactics | Discovery |
| Techniques | T1580 |
| Required data connectors | AWS |
| Kind | Scheduled |
| Query frequency | 10m |
| Query period | 10m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_UserIAMEnumeration.yaml |
| Version | 1.0.0 |
| Arm template | cfaaf0bc-16d1-48df-ac8b-9d901bbd516a.json |
let threshold = 50;
AWSCloudTrail
| where EventName in ("ListAttachedRolePolicies","ListRoles","ListGroupsForUser","ListAttachedUserPolicies","ListAccessKeys","ListUsers")
| summarize
count(),
make_set(AWSRegion),
make_set(UserAgent),
make_set(SourceIpAddress),
make_set(ErrorCode),
make_set(ErrorMessage),
make_set(EventName)
by bin(TimeGenerated, 10m), UserIdentityPrincipalid, UserIdentityArn, UserIdentityAccountId
| where count_ > threshold
| mv-expand set_SourceIpAddress
| extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
| extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]
entityMappings:
- fieldMappings:
- columnName: Name
identifier: Name
- columnName: UpnSuffix
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: set_SourceIpAddress
identifier: Address
entityType: IP
triggerThreshold: 0
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_UserIAMEnumeration.yaml
queryFrequency: 10m
status: Available
relevantTechniques:
- T1580
triggerOperator: gt
id: cfaaf0bc-16d1-48df-ac8b-9d901bbd516a
requiredDataConnectors:
- connectorId: AWS
dataTypes:
- AWSCloudTrail
version: 1.0.0
name: User IAM Enumeration
description: |
'Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time. WL Scanner of Cloud Account such as Wiz and threshold can be adjusted'
query: |
let threshold = 50;
AWSCloudTrail
| where EventName in ("ListAttachedRolePolicies","ListRoles","ListGroupsForUser","ListAttachedUserPolicies","ListAccessKeys","ListUsers")
| summarize
count(),
make_set(AWSRegion),
make_set(UserAgent),
make_set(SourceIpAddress),
make_set(ErrorCode),
make_set(ErrorMessage),
make_set(EventName)
by bin(TimeGenerated, 10m), UserIdentityPrincipalid, UserIdentityArn, UserIdentityAccountId
| where count_ > threshold
| mv-expand set_SourceIpAddress
| extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
| extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]
tactics:
- Discovery
queryPeriod: 10m
kind: Scheduled
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cfaaf0bc-16d1-48df-ac8b-9d901bbd516a')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cfaaf0bc-16d1-48df-ac8b-9d901bbd516a')]",
"properties": {
"alertRuleTemplateName": "cfaaf0bc-16d1-48df-ac8b-9d901bbd516a",
"customDetails": null,
"description": "'Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time. WL Scanner of Cloud Account such as Wiz and threshold can be adjusted'\n",
"displayName": "User IAM Enumeration",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Name",
"identifier": "Name"
},
{
"columnName": "UpnSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "set_SourceIpAddress",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_UserIAMEnumeration.yaml",
"query": "let threshold = 50; \nAWSCloudTrail\n| where EventName in (\"ListAttachedRolePolicies\",\"ListRoles\",\"ListGroupsForUser\",\"ListAttachedUserPolicies\",\"ListAccessKeys\",\"ListUsers\")\n| summarize\n count(),\n make_set(AWSRegion),\n make_set(UserAgent),\n make_set(SourceIpAddress),\n make_set(ErrorCode),\n make_set(ErrorMessage),\n make_set(EventName)\n by bin(TimeGenerated, 10m), UserIdentityPrincipalid, UserIdentityArn, UserIdentityAccountId\n| where count_ > threshold\n| mv-expand set_SourceIpAddress\n| extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, \":\") + 1)\n| extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]\n",
"queryFrequency": "PT10M",
"queryPeriod": "PT10M",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Discovery"
],
"techniques": [
"T1580"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}