cloudflare/Azure-Sentinel
Publicmirrored fromhttps://github.com/cloudflare/Azure-Sentinel
Hunting Queries/AWSCloudTrail/AWS_IAM_PolicyChange.txt
30lines · modecode
| 1 | // Name: Changes made to AWS IAM policy |
| 2 | // Description: Identity and Access Management (IAM) enables to manage access to AWS services and resources securely. IAM service is where many of the security incidents will get reflected. |
| 3 | // This query looks for when an API call is made to change an IAM particularly those related to new policies being attached to users and roles as well as changes to access methods and changes to account level policies. In case these turn out to be noisy in some environments we can filter out the regular known ones. |
| 4 | // |
| 5 | // Id: e0a67cd7-b4e5-4468-aae0-26cb16a1bbd2 |
| 6 | // |
| 7 | // DataSource: #AWSCloudTrail |
| 8 | // |
| 9 | // Tactics: #LateralMovement, #PrivilegeEscalation |
| 10 | // |
| 11 | let timeframe = 7d; |
| 12 | AWSCloudTrail |
| 13 | | where TimeGenerated >= ago(timeframe) |
| 14 | | where EventName in~ ("AttachGroupPolicy" |
| 15 | ,"AttachRolePolicy" |
| 16 | ,"AttachUserPolicy" |
| 17 | ,"CreatePolicy" |
| 18 | ,"DeleteGroupPolicy" |
| 19 | ,"DeletePolicy" |
| 20 | ,"DeleteRolePolicy" |
| 21 | ,"DeleteUserPolicy" |
| 22 | ,"DetachGroupPolicy" |
| 23 | ,"PutUserPolicy" |
| 24 | ,"PutGroupPolicy" |
| 25 | ,"CreatePolicyVersion" |
| 26 | ,"DeletePolicyVersion" |
| 27 | ,"DetachRolePolicy" |
| 28 | ,"CreatePolicy") |
| 29 | | project TimeGenerated , EventName , EventTypeName , UserIdentityAccountId , UserIdentityPrincipalid , UserAgent , UserIdentityUserName , SessionMfaAuthenticated , SourceIpAddress , AWSRegion , EventSource , AdditionalEventData , ResponseElements |
| 30 | | extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityAccountId |