Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. AWS Security Hub - Detect EC2 Security groups allowing unrestricted high-risk ports

AWS Security Hub - Detect EC2 Security groups allowing unrestricted high-risk ports

Back
Idd2b6fa0f-6a4c-4c48-8c64-5e2e1ac4e7b9
RulenameAWS Security Hub - Detect EC2 Security groups allowing unrestricted high-risk ports
DescriptionThis query detects EC2 Security Groups that allow unrestricted (0.0.0.0/0 or ::/0) ingress to high-risk ports using AWS Security Hub control EC2.19 findings.

Publicly exposed management, database, and service ports (e.g., RDP 3389, SSH 22, SQL 1433/3306) significantly increase the risk of brute-force attacks, exploitation, and lateral movement.
SeverityHigh
TacticsInitialAccess
LateralMovement
Discovery
TechniquesT1133
T1021
T1046
Required data connectorsAWSSecurityHub
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/EC2SecurityGroupHighRiskOpenPorts.yaml
Version1.0.0
Arm templated2b6fa0f-6a4c-4c48-8c64-5e2e1ac4e7b9.json
Deploy To Azure
let HighRiskPorts = dynamic([3389,20,23,110,143,3306,8080,1433,9200,9300,25,445,135,21,1434,4333,5432,5500,5601,22,3000,5000,8088,8888]);
AWSSecurityHubFindings
| where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
| where tostring(AwsSecurityFindingGeneratorId) == "security-control/EC2.19"
      or tostring(ComplianceSecurityControlId) == "EC2.19"
| mv-expand Resource = Resources
| where tostring(Resource.Type) == "AwsEc2SecurityGroup"
| extend SGDetails = Resource.Details.AwsEc2SecurityGroup
| extend IpPermissions = SGDetails.IpPermissions
| mv-expand Perm = IpPermissions
| where toint(Perm.FromPort) in (HighRiskPorts)
| mv-expand Range = Perm.IpRanges
| where tostring(Range.CidrIp) in ("0.0.0.0/0", "::/0")
| summarize TimeGenerated = max(TimeGenerated), OpenHighRiskPorts = make_set(tostring(Perm.FromPort))
    by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,
       AwsSecurityFindingId, ComplianceSecurityControlId, SecurityGroupId = tostring(SGDetails.GroupId), SecurityGroupARN = tostring(Resource.Id)
| extend OpenHighRiskPorts = strcat_array(OpenHighRiskPorts, ", ")

tactics:
- InitialAccess
- LateralMovement
- Discovery
name: AWS Security Hub - Detect EC2 Security groups allowing unrestricted high-risk ports
id: d2b6fa0f-6a4c-4c48-8c64-5e2e1ac4e7b9
requiredDataConnectors:
- connectorId: AWSSecurityHub
  dataTypes:
  - AWSSecurityHubFindings
query: |
  let HighRiskPorts = dynamic([3389,20,23,110,143,3306,8080,1433,9200,9300,25,445,135,21,1434,4333,5432,5500,5601,22,3000,5000,8088,8888]);
  AWSSecurityHubFindings
  | where RecordState == "ACTIVE" and ComplianceStatus == "FAILED"
  | where tostring(AwsSecurityFindingGeneratorId) == "security-control/EC2.19"
        or tostring(ComplianceSecurityControlId) == "EC2.19"
  | mv-expand Resource = Resources
  | where tostring(Resource.Type) == "AwsEc2SecurityGroup"
  | extend SGDetails = Resource.Details.AwsEc2SecurityGroup
  | extend IpPermissions = SGDetails.IpPermissions
  | mv-expand Perm = IpPermissions
  | where toint(Perm.FromPort) in (HighRiskPorts)
  | mv-expand Range = Perm.IpRanges
  | where tostring(Range.CidrIp) in ("0.0.0.0/0", "::/0")
  | summarize TimeGenerated = max(TimeGenerated), OpenHighRiskPorts = make_set(tostring(Perm.FromPort))
      by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,
         AwsSecurityFindingId, ComplianceSecurityControlId, SecurityGroupId = tostring(SGDetails.GroupId), SecurityGroupARN = tostring(Resource.Id)
  | extend OpenHighRiskPorts = strcat_array(OpenHighRiskPorts, ", ")  
relevantTechniques:
- T1133
- T1021
- T1046
description: |
  This query detects EC2 Security Groups that allow unrestricted (0.0.0.0/0 or ::/0) ingress to high-risk ports using AWS Security Hub control EC2.19 findings.
  Publicly exposed management, database, and service ports (e.g., RDP 3389, SSH 22, SQL 1433/3306) significantly increase the risk of brute-force attacks, exploitation, and lateral movement.  
triggerOperator: gt
queryPeriod: 1h
severity: High
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AwsAccountId
  - identifier: CloudAppAccountId
    columnName: AwsAccountId
  entityType: Account
- fieldMappings:
  - identifier: Name
    columnName: SecurityGroupARN
  entityType: CloudApplication
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/EC2SecurityGroupHighRiskOpenPorts.yaml
version: 1.0.0
alertDetailsOverride:
  alertDisplayNameFormat: EC2 Security group {{SecurityGroupId}} allows unrestricted high-risk ports
  alertDescriptionFormat: 'EC2 Security group {{SecurityGroupId}} allows unrestricted (0.0.0.0/0 or ::/0) ingress to high-risk ports: {{OpenHighRiskPorts}}. Restrict or remove the offending rules.'
triggerThreshold: 0
tags:
- AWS Foundational Security Best Practices v1.0.0
- NIST 800-53 r5
kind: Scheduled
queryFrequency: 1h
status: Available
customDetails:
  Region: AwsRegion
  OpenHighRiskPorts: OpenHighRiskPorts
  ComplianceControlId: ComplianceSecurityControlId
  SecurityGroupId: SecurityGroupId
  FindingId: AwsSecurityFindingId

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d2b6fa0f-6a4c-4c48-8c64-5e2e1ac4e7b9')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d2b6fa0f-6a4c-4c48-8c64-5e2e1ac4e7b9')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "EC2 Security group {{SecurityGroupId}} allows unrestricted (0.0.0.0/0 or ::/0) ingress to high-risk ports: {{OpenHighRiskPorts}}. Restrict or remove the offending rules.",
          "alertDisplayNameFormat": "EC2 Security group {{SecurityGroupId}} allows unrestricted high-risk ports"
        },
        "alertRuleTemplateName": "d2b6fa0f-6a4c-4c48-8c64-5e2e1ac4e7b9",
        "customDetails": {
          "ComplianceControlId": "ComplianceSecurityControlId",
          "FindingId": "AwsSecurityFindingId",
          "OpenHighRiskPorts": "OpenHighRiskPorts",
          "Region": "AwsRegion",
          "SecurityGroupId": "SecurityGroupId"
        },
        "description": "This query detects EC2 Security Groups that allow unrestricted (0.0.0.0/0 or ::/0) ingress to high-risk ports using AWS Security Hub control EC2.19 findings.\nPublicly exposed management, database, and service ports (e.g., RDP 3389, SSH 22, SQL 1433/3306) significantly increase the risk of brute-force attacks, exploitation, and lateral movement.\n",
        "displayName": "AWS Security Hub - Detect EC2 Security groups allowing unrestricted high-risk ports",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AwsAccountId",
                "identifier": "Name"
              },
              {
                "columnName": "AwsAccountId",
                "identifier": "CloudAppAccountId"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "SecurityGroupARN",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AWS Security Hub/Analytic Rules/EC2SecurityGroupHighRiskOpenPorts.yaml",
        "query": "let HighRiskPorts = dynamic([3389,20,23,110,143,3306,8080,1433,9200,9300,25,445,135,21,1434,4333,5432,5500,5601,22,3000,5000,8088,8888]);\nAWSSecurityHubFindings\n| where RecordState == \"ACTIVE\" and ComplianceStatus == \"FAILED\"\n| where tostring(AwsSecurityFindingGeneratorId) == \"security-control/EC2.19\"\n      or tostring(ComplianceSecurityControlId) == \"EC2.19\"\n| mv-expand Resource = Resources\n| where tostring(Resource.Type) == \"AwsEc2SecurityGroup\"\n| extend SGDetails = Resource.Details.AwsEc2SecurityGroup\n| extend IpPermissions = SGDetails.IpPermissions\n| mv-expand Perm = IpPermissions\n| where toint(Perm.FromPort) in (HighRiskPorts)\n| mv-expand Range = Perm.IpRanges\n| where tostring(Range.CidrIp) in (\"0.0.0.0/0\", \"::/0\")\n| summarize TimeGenerated = max(TimeGenerated), OpenHighRiskPorts = make_set(tostring(Perm.FromPort))\n    by AwsAccountId, AwsRegion, AwsSecurityFindingTitle, AwsSecurityFindingDescription,\n       AwsSecurityFindingId, ComplianceSecurityControlId, SecurityGroupId = tostring(SGDetails.GroupId), SecurityGroupARN = tostring(Resource.Id)\n| extend OpenHighRiskPorts = strcat_array(OpenHighRiskPorts, \", \")\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery",
          "InitialAccess",
          "LateralMovement"
        ],
        "tags": [
          "AWS Foundational Security Best Practices v1.0.0",
          "NIST 800-53 r5"
        ],
        "techniques": [
          "T1021",
          "T1046",
          "T1133"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}