Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. User IAM Enumeration

User IAM Enumeration

Back
Idcfaaf0bc-16d1-48df-ac8b-9d901bbd516a
RulenameUser IAM Enumeration
DescriptionDetects enumeration of accounts configuration via api call to list different instances and services within a short period of time. WL Scanner of Cloud Account such as Wiz and threshold can be adjusted
SeverityMedium
TacticsDiscovery
TechniquesT1580
Required data connectorsAWS
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_UserIAMEnumeration.yaml
Version1.0.0
Arm templatecfaaf0bc-16d1-48df-ac8b-9d901bbd516a.json
Deploy To Azure
let threshold = 50; 
AWSCloudTrail
| where EventName in ("ListAttachedRolePolicies","ListRoles","ListGroupsForUser","ListAttachedUserPolicies","ListAccessKeys","ListUsers")
| summarize
    count(),
    make_set(AWSRegion),
    make_set(UserAgent),
    make_set(SourceIpAddress),
    make_set(ErrorCode),
    make_set(ErrorMessage),
    make_set(EventName)
    by bin(TimeGenerated, 10m), UserIdentityPrincipalid, UserIdentityArn, UserIdentityAccountId
| where count_ > threshold
| mv-expand set_SourceIpAddress
| extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
| extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]

status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_UserIAMEnumeration.yaml
version: 1.0.0
queryPeriod: 10m
query: |
  let threshold = 50; 
  AWSCloudTrail
  | where EventName in ("ListAttachedRolePolicies","ListRoles","ListGroupsForUser","ListAttachedUserPolicies","ListAccessKeys","ListUsers")
  | summarize
      count(),
      make_set(AWSRegion),
      make_set(UserAgent),
      make_set(SourceIpAddress),
      make_set(ErrorCode),
      make_set(ErrorMessage),
      make_set(EventName)
      by bin(TimeGenerated, 10m), UserIdentityPrincipalid, UserIdentityArn, UserIdentityAccountId
  | where count_ > threshold
  | mv-expand set_SourceIpAddress
  | extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
  | extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]  
kind: Scheduled
name: User IAM Enumeration
triggerOperator: gt
severity: Medium
id: cfaaf0bc-16d1-48df-ac8b-9d901bbd516a
triggerThreshold: 0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: Name
  - identifier: UPNSuffix
    columnName: UpnSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: set_SourceIpAddress
queryFrequency: 10m
description: |
    'Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time. WL Scanner of Cloud Account such as Wiz and threshold can be adjusted'
requiredDataConnectors:
- connectorId: AWS
  dataTypes:
  - AWSCloudTrail
relevantTechniques:
- T1580
tactics:
- Discovery