Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. AWSCloudTrail - Unauthorized EC2 Instance Setup Attempt

AWSCloudTrail - Unauthorized EC2 Instance Setup Attempt

Back
Idf7210a45-12a4-4d02-b59e-f23476827a4b
RulenameAWSCloudTrail - Unauthorized EC2 Instance Setup Attempt
DescriptionDetects an unauthorized attempt to launch an EC2 instance by a user without the necessary permissions. This may indicate an attempt to provision malicious infrastructure within the AWS subscription. Reference: https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ec2-launch-unusual-instances/
SeverityMedium
TacticsResourceDevelopment
TechniquesT1583
Required data connectorsAWS
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_UnauthorizedInstanceSetUpAttempt.yaml
Version1.0.1
Arm templatef7210a45-12a4-4d02-b59e-f23476827a4b.json
Deploy To Azure
AWSCloudTrail
| where EventName == "RunInstances"
| where ErrorCode == "Client.UnauthorizedOperation"
| project TimeGenerated, AwsEventId, EventTypeName, UserIdentityPrincipalid, UserIdentityType,  UserIdentityAccountId, SessionMfaAuthenticated, SessionCreationDate, SessionIssuerUserName, SourceIpAddress, AWSRegion, UserAgent, RequestParameters, ErrorMessage
| extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
| extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_UnauthorizedInstanceSetUpAttempt.yaml
customDetails:
  AWSRegion: AWSRegion
  ErrorMessage: ErrorMessage
  UserAgent: UserAgent
  UserIdentityType: UserIdentityType
relevantTechniques:
- T1583
triggerThreshold: 0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: Name
  - identifier: UPNSuffix
    columnName: UpnSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIpAddress
tactics:
- ResourceDevelopment
query: |
  AWSCloudTrail
  | where EventName == "RunInstances"
  | where ErrorCode == "Client.UnauthorizedOperation"
  | project TimeGenerated, AwsEventId, EventTypeName, UserIdentityPrincipalid, UserIdentityType,  UserIdentityAccountId, SessionMfaAuthenticated, SessionCreationDate, SessionIssuerUserName, SourceIpAddress, AWSRegion, UserAgent, RequestParameters, ErrorMessage
  | extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
  | extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]  
triggerOperator: gt
id: f7210a45-12a4-4d02-b59e-f23476827a4b
kind: Scheduled
queryFrequency: 10m
version: 1.0.1
requiredDataConnectors:
- connectorId: AWS
  dataTypes:
  - AWSCloudTrail
alertDetailsOverride:
  alertDisplayNameFormat: Unauthorized EC2 instance launch attempt by {{UserIdentityPrincipalid}} in {{AWSRegion}}
  alertDescriptionFormat: User {{UserIdentityPrincipalid}} (type {{UserIdentityType}}) attempted an unauthorized EC2 instance launch in region {{AWSRegion}}.
description: |
    Detects an unauthorized attempt to launch an EC2 instance by a user without the necessary permissions. This may indicate an attempt to provision malicious infrastructure within the AWS subscription. Reference: https://stratus-red-team.cloud/attack-techniques/AWS/aws.execution.ec2-launch-unusual-instances/
status: Available
name: AWSCloudTrail - Unauthorized EC2 Instance Setup Attempt
severity: Medium
queryPeriod: 10m