User IAM Enumeration

Back


Id	cfaaf0bc-16d1-48df-ac8b-9d901bbd516a
Rulename	User IAM Enumeration
Description	Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time. WL Scanner of Cloud Account such as Wiz and threshold can be adjusted
Severity	Medium
Tactics	Discovery
Techniques	T1580
Required data connectors	AWS
Kind	Scheduled
Query frequency	10m
Query period	10m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_UserIAMEnumeration.yaml
Version	1.0.0
Arm template	cfaaf0bc-16d1-48df-ac8b-9d901bbd516a.json

KQL

let threshold = 50; 
AWSCloudTrail
| where EventName in ("ListAttachedRolePolicies","ListRoles","ListGroupsForUser","ListAttachedUserPolicies","ListAccessKeys","ListUsers")
| summarize
    count(),
    make_set(AWSRegion),
    make_set(UserAgent),
    make_set(SourceIpAddress),
    make_set(ErrorCode),
    make_set(ErrorMessage),
    make_set(EventName)
    by bin(TimeGenerated, 10m), UserIdentityPrincipalid, UserIdentityArn, UserIdentityAccountId
| where count_ > threshold
| mv-expand set_SourceIpAddress
| extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
| extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]

YAML

id: cfaaf0bc-16d1-48df-ac8b-9d901bbd516a
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_UserIAMEnumeration.yaml
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: Name
  - identifier: UPNSuffix
    columnName: UpnSuffix
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: set_SourceIpAddress
  entityType: IP
requiredDataConnectors:
- dataTypes:
  - AWSCloudTrail
  connectorId: AWS
queryFrequency: 10m
queryPeriod: 10m
status: Available
query: |
  let threshold = 50; 
  AWSCloudTrail
  | where EventName in ("ListAttachedRolePolicies","ListRoles","ListGroupsForUser","ListAttachedUserPolicies","ListAccessKeys","ListUsers")
  | summarize
      count(),
      make_set(AWSRegion),
      make_set(UserAgent),
      make_set(SourceIpAddress),
      make_set(ErrorCode),
      make_set(ErrorMessage),
      make_set(EventName)
      by bin(TimeGenerated, 10m), UserIdentityPrincipalid, UserIdentityArn, UserIdentityAccountId
  | where count_ > threshold
  | mv-expand set_SourceIpAddress
  | extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
  | extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]  
name: User IAM Enumeration
kind: Scheduled
tactics:
- Discovery
severity: Medium
relevantTechniques:
- T1580
triggerThreshold: 0
version: 1.0.0
description: |
    'Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time. WL Scanner of Cloud Account such as Wiz and threshold can be adjusted'

ARM