Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. User IAM Enumeration

User IAM Enumeration

Back
Idcfaaf0bc-16d1-48df-ac8b-9d901bbd516a
RulenameUser IAM Enumeration
DescriptionDetects enumeration of accounts configuration via api call to list different instances and services within a short period of time. WL Scanner of Cloud Account such as Wiz and threshold can be adjusted
SeverityMedium
TacticsDiscovery
TechniquesT1580
Required data connectorsAWS
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_UserIAMEnumeration.yaml
Version1.0.0
Arm templatecfaaf0bc-16d1-48df-ac8b-9d901bbd516a.json
Deploy To Azure
let threshold = 50; 
AWSCloudTrail
| where EventName in ("ListAttachedRolePolicies","ListRoles","ListGroupsForUser","ListAttachedUserPolicies","ListAccessKeys","ListUsers")
| summarize
    count(),
    make_set(AWSRegion),
    make_set(UserAgent),
    make_set(SourceIpAddress),
    make_set(ErrorCode),
    make_set(ErrorMessage),
    make_set(EventName)
    by bin(TimeGenerated, 10m), UserIdentityPrincipalid, UserIdentityArn, UserIdentityAccountId
| where count_ > threshold
| mv-expand set_SourceIpAddress
| extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
| extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]

status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_UserIAMEnumeration.yaml
query: |
  let threshold = 50; 
  AWSCloudTrail
  | where EventName in ("ListAttachedRolePolicies","ListRoles","ListGroupsForUser","ListAttachedUserPolicies","ListAccessKeys","ListUsers")
  | summarize
      count(),
      make_set(AWSRegion),
      make_set(UserAgent),
      make_set(SourceIpAddress),
      make_set(ErrorCode),
      make_set(ErrorMessage),
      make_set(EventName)
      by bin(TimeGenerated, 10m), UserIdentityPrincipalid, UserIdentityArn, UserIdentityAccountId
  | where count_ > threshold
  | mv-expand set_SourceIpAddress
  | extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
  | extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]  
requiredDataConnectors:
- dataTypes:
  - AWSCloudTrail
  connectorId: AWS
tactics:
- Discovery
name: User IAM Enumeration
relevantTechniques:
- T1580
severity: Medium
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: Name
  - identifier: UPNSuffix
    columnName: UpnSuffix
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: set_SourceIpAddress
  entityType: IP
kind: Scheduled
queryFrequency: 10m
description: |
    'Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time. WL Scanner of Cloud Account such as Wiz and threshold can be adjusted'
triggerThreshold: 0
triggerOperator: gt
version: 1.0.0
queryPeriod: 10m
id: cfaaf0bc-16d1-48df-ac8b-9d901bbd516a