let threshold = 50;
AWSCloudTrail
| where EventName in ("ListAttachedRolePolicies","ListRoles","ListGroupsForUser","ListAttachedUserPolicies","ListAccessKeys","ListUsers")
| summarize
count(),
make_set(AWSRegion),
make_set(UserAgent),
make_set(SourceIpAddress),
make_set(ErrorCode),
make_set(ErrorMessage),
make_set(EventName)
by bin(TimeGenerated, 10m), UserIdentityPrincipalid, UserIdentityArn, UserIdentityAccountId
| where count_ > threshold
| mv-expand set_SourceIpAddress
| extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
| extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Name
- identifier: UPNSuffix
columnName: UpnSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: set_SourceIpAddress
tactics:
- Discovery
requiredDataConnectors:
- dataTypes:
- AWSCloudTrail
connectorId: AWS
alertDetailsOverride:
alertDisplayNameFormat: IAM enumeration detected - {{count_}} API calls by {{UserIdentityPrincipalid}}
alertDescriptionFormat: User {{UserIdentityPrincipalid}} performed {{count_}} IAM enumeration API calls within a 10-minute window from account {{UserIdentityAccountId}}.
id: cfaaf0bc-16d1-48df-ac8b-9d901bbd516a
severity: Medium
status: Available
customDetails:
AWSAccountId: UserIdentityAccountId
PrincipalId: UserIdentityPrincipalid
EventCount: count_
query: |
let threshold = 50;
AWSCloudTrail
| where EventName in ("ListAttachedRolePolicies","ListRoles","ListGroupsForUser","ListAttachedUserPolicies","ListAccessKeys","ListUsers")
| summarize
count(),
make_set(AWSRegion),
make_set(UserAgent),
make_set(SourceIpAddress),
make_set(ErrorCode),
make_set(ErrorMessage),
make_set(EventName)
by bin(TimeGenerated, 10m), UserIdentityPrincipalid, UserIdentityArn, UserIdentityAccountId
| where count_ > threshold
| mv-expand set_SourceIpAddress
| extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
| extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_UserIAMEnumeration.yaml
kind: Scheduled
queryPeriod: 10m
version: 1.0.1
name: AWSCloudTrail - User IAM Enumeration
queryFrequency: 10m
triggerThreshold: 0
relevantTechniques:
- T1580
description: |
Detects enumeration of IAM account configuration via repeated API calls to list roles, users, groups, and policies within a short time period. The threshold can be adjusted to reduce false positives from authorized cloud scanners such as Wiz.
triggerOperator: gt
