Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. EC2 Startup Shell Script Changed

EC2 Startup Shell Script Changed

Back
Idf8577e4d-8481-437b-a94e-06f615985668
RulenameEC2 Startup Shell Script Changed
DescriptionDetects changes to the EC2 startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up. ref : https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/ec2__startup_shell_script/main.py
SeverityMedium
TacticsExecution
TechniquesT1059
Required data connectorsAWS
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_EC2StartupShellScriptChanged.yaml
Version1.0.0
Arm templatef8577e4d-8481-437b-a94e-06f615985668.json
Deploy To Azure
AWSCloudTrail
| where EventName == "ModifyInstanceAttribute" or EventName == "CreateLaunchTemplate"
| where RequestParameters contains "userData"
| extend userData_ = tostring(parse_json(RequestParameters).userData)
| extend instanceId_ = tostring(parse_json(RequestParameters).instanceId)
| project-away  SourceSystem,Category,Type,TenantId,EventVersion,SessionIssuerAccountId
| extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
| extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]

triggerThreshold: 0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: Name
  - identifier: UPNSuffix
    columnName: UpnSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIpAddress
requiredDataConnectors:
- dataTypes:
  - AWSCloudTrail
  connectorId: AWS
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_EC2StartupShellScriptChanged.yaml
name: EC2 Startup Shell Script Changed
relevantTechniques:
- T1059
status: Available
version: 1.0.0
queryPeriod: 15m
kind: Scheduled
id: f8577e4d-8481-437b-a94e-06f615985668
query: |
  AWSCloudTrail
  | where EventName == "ModifyInstanceAttribute" or EventName == "CreateLaunchTemplate"
  | where RequestParameters contains "userData"
  | extend userData_ = tostring(parse_json(RequestParameters).userData)
  | extend instanceId_ = tostring(parse_json(RequestParameters).instanceId)
  | project-away  SourceSystem,Category,Type,TenantId,EventVersion,SessionIssuerAccountId
  | extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
  | extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]  
description: |
    'Detects changes to the EC2 startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up. ref : https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/ec2__startup_shell_script/main.py'
queryFrequency: 15m
severity: Medium
triggerOperator: gt
tactics:
- Execution