Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. AWS Security Hub - Detect EC2 Security groups allowing unrestricted high-risk ports

AWS Security Hub - Detect EC2 Security groups allowing unrestricted high-risk ports

Back
Idd2b6fa0f-6a4c-4c48-8c64-5e2e1ac4e7b9
RulenameAWS Security Hub - Detect EC2 Security groups allowing unrestricted high-risk ports
DescriptionThis query detects EC2 Security Groups that allow unrestricted (0.0.0.0/0 or ::/0) ingress to high-risk ports using AWS Security Hub control EC2.19 findings.

Publicly exposed management, database, and service ports (e.g., RDP 3389, SSH 22, SQL 1433/3306) significantly increase the risk of brute-force attacks, exploitation, and lateral movement.
SeverityHigh
TacticsInitialAccess
LateralMovement
Discovery
TechniquesT1133
T1021
T1046
Required data connectorsAWSSecurityHub
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/EC2SecurityGroupHighRiskOpenPorts.yaml
Version1.0.0
Arm templated2b6fa0f-6a4c-4c48-8c64-5e2e1ac4e7b9.json
Deploy To Azure
let HighRiskPorts = dynamic([3389,20,23,110,143,3306,8080,1433,9200,9300,25,445,135,21,1434,4333,5432,5500,5601,22,3000,5000,8088,8888]);
AWSSecurityHubFindings
| where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
| where tostring(AwsSecurityFindingGeneratorId) == "security-control/EC2.19"
      or tostring(ComplianceSecurityControlId) == "EC2.19"
| mv-expand Resource = Resources
| where tostring(Resource.Type) == "AwsEc2SecurityGroup"
| extend SGDetails = Resource.Details.AwsEc2SecurityGroup
| extend IpPermissions = SGDetails.IpPermissions
| mv-expand Perm = IpPermissions
| where toint(Perm.FromPort) in (HighRiskPorts)
| mv-expand Range = Perm.IpRanges
| where tostring(Range.CidrIp) in ("0.0.0.0/0", "::/0")
| summarize TimeGenerated = max(TimeGenerated), OpenHighRiskPorts = make_set(tostring(Perm.FromPort))
    by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,
       AwsSecurityFindingId, ComplianceSecurityControlId, SecurityGroupId = tostring(SGDetails.GroupId), SecurityGroupARN = tostring(Resource.Id)
| extend OpenHighRiskPorts = strcat_array(OpenHighRiskPorts, ", ")

queryPeriod: 1h
query: |
  let HighRiskPorts = dynamic([3389,20,23,110,143,3306,8080,1433,9200,9300,25,445,135,21,1434,4333,5432,5500,5601,22,3000,5000,8088,8888]);
  AWSSecurityHubFindings
  | where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
  | where tostring(AwsSecurityFindingGeneratorId) == "security-control/EC2.19"
        or tostring(ComplianceSecurityControlId) == "EC2.19"
  | mv-expand Resource = Resources
  | where tostring(Resource.Type) == "AwsEc2SecurityGroup"
  | extend SGDetails = Resource.Details.AwsEc2SecurityGroup
  | extend IpPermissions = SGDetails.IpPermissions
  | mv-expand Perm = IpPermissions
  | where toint(Perm.FromPort) in (HighRiskPorts)
  | mv-expand Range = Perm.IpRanges
  | where tostring(Range.CidrIp) in ("0.0.0.0/0", "::/0")
  | summarize TimeGenerated = max(TimeGenerated), OpenHighRiskPorts = make_set(tostring(Perm.FromPort))
      by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,
         AwsSecurityFindingId, ComplianceSecurityControlId, SecurityGroupId = tostring(SGDetails.GroupId), SecurityGroupARN = tostring(Resource.Id)
  | extend OpenHighRiskPorts = strcat_array(OpenHighRiskPorts, ", ")  
name: AWS Security Hub - Detect EC2 Security groups allowing unrestricted high-risk ports
entityMappings:
- fieldMappings:
  - columnName: AwsAccountId
    identifier: Name
  - columnName: AwsAccountId
    identifier: CloudAppAccountId
  entityType: Account
- fieldMappings:
  - columnName: SecurityGroupARN
    identifier: Name
  entityType: CloudApplication
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/EC2SecurityGroupHighRiskOpenPorts.yaml
tags:
- AWS Foundational Security Best Practices v1.0.0
- NIST 800-53 r5
requiredDataConnectors:
- connectorId: AWSSecurityHub
  dataTypes:
  - AWSSecurityHubFindings
description: |
  This query detects EC2 Security Groups that allow unrestricted (0.0.0.0/0 or ::/0) ingress to high-risk ports using AWS Security Hub control EC2.19 findings.
  Publicly exposed management, database, and service ports (e.g., RDP 3389, SSH 22, SQL 1433/3306) significantly increase the risk of brute-force attacks, exploitation, and lateral movement.  
kind: Scheduled
version: 1.0.0
alertDetailsOverride:
  alertDisplayNameFormat: EC2 Security group {{SecurityGroupId}} allows unrestricted high-risk ports
  alertDescriptionFormat: 'EC2 Security group {{SecurityGroupId}} allows unrestricted (0.0.0.0/0 or ::/0) ingress to high-risk ports: {{OpenHighRiskPorts}}. Restrict or remove the offending rules.'
status: Available
severity: High
relevantTechniques:
- T1133
- T1021
- T1046
triggerOperator: gt
triggerThreshold: 0
customDetails:
  Region: AwsRegion
  SecurityGroupId: SecurityGroupId
  ComplianceControlId: ComplianceSecurityControlId
  OpenHighRiskPorts: OpenHighRiskPorts
  FindingId: AwsSecurityFindingId
tactics:
- InitialAccess
- LateralMovement
- Discovery
id: d2b6fa0f-6a4c-4c48-8c64-5e2e1ac4e7b9