Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. AWSCloudTrail - EC2 Startup Shell Script Changed

AWSCloudTrail - EC2 Startup Shell Script Changed

Back
Idf8577e4d-8481-437b-a94e-06f615985668
RulenameAWSCloudTrail - EC2 Startup Shell Script Changed
DescriptionIdentifies changes to the EC2 startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up. ref : https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/ec2__startup_shell_script/main.py
SeverityMedium
TacticsExecution
TechniquesT1059
Required data connectorsAWS
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_EC2StartupShellScriptChanged.yaml
Version1.0.1
Arm templatef8577e4d-8481-437b-a94e-06f615985668.json
Deploy To Azure
AWSCloudTrail
| where EventName in~ ("ModifyInstanceAttribute", "CreateLaunchTemplate")
| extend RequestParametersJson = parse_json(RequestParameters)
| where tostring(RequestParametersJson.userData) != ""
| extend userData_ = tostring(RequestParametersJson.userData)
| extend instanceId_ = tostring(RequestParametersJson.instanceId)
| project-away SourceSystem, Category, Type, TenantId, EventVersion, SessionIssuerAccountId
| extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
| extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]
| project TimeGenerated, EventName, UserName, Name, UpnSuffix, instanceId_, AWSRegion, SourceIpAddress, EventSource, UserIdentityArn, EventTypeName

status: Available
queryFrequency: 15m
queryPeriod: 15m
triggerOperator: gt
query: |
  AWSCloudTrail
  | where EventName in~ ("ModifyInstanceAttribute", "CreateLaunchTemplate")
  | extend RequestParametersJson = parse_json(RequestParameters)
  | where tostring(RequestParametersJson.userData) != ""
  | extend userData_ = tostring(RequestParametersJson.userData)
  | extend instanceId_ = tostring(RequestParametersJson.instanceId)
  | project-away SourceSystem, Category, Type, TenantId, EventVersion, SessionIssuerAccountId
  | extend UserName = substring(UserIdentityPrincipalid, indexof_regex(UserIdentityPrincipalid, ":") + 1)
  | extend Name = split(UserName,'@')[0],UpnSuffix = split(UserName,'@')[1]
  | project TimeGenerated, EventName, UserName, Name, UpnSuffix, instanceId_, AWSRegion, SourceIpAddress, EventSource, UserIdentityArn, EventTypeName  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon Web Services/Analytic Rules/AWS_EC2StartupShellScriptChanged.yaml
tactics:
- Execution
triggerThreshold: 0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: Name
  - identifier: UPNSuffix
    columnName: UpnSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIpAddress
requiredDataConnectors:
- connectorId: AWS
  dataTypes:
  - AWSCloudTrail
alertDetailsOverride:
  alertDescriptionFormat: EC2 startup script changed on {{instanceId_}} by {{UserName}} in {{AWSRegion}}.
  alertDisplayNameFormat: EC2 startup script changed on {{instanceId_}} by {{UserName}}
relevantTechniques:
- T1059
customDetails:
  EventSource: EventSource
  EventType: EventTypeName
  EventName: EventName
  InstanceId: instanceId_
  AWSRegion: AWSRegion
description: |
    Identifies changes to the EC2 startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up. ref : https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/ec2__startup_shell_script/main.py
name: AWSCloudTrail - EC2 Startup Shell Script Changed
version: 1.0.1
kind: Scheduled
id: f8577e4d-8481-437b-a94e-06f615985668
severity: Medium