You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
In the analytics rule named Suspicious overly permissive KMS key policy created, it doesn't appear to alert on any of the activity. It appears that this is due to attempting to match (using ==) kms:Encrypt or kms:* while these values are contained within an array.
To Reproduce
Steps to reproduce the behavior:
Go to Sentinel -> Analytics Rules
Click on Suspicious overly permissive KMS key policy created
Navigate to the Query logic
Attempt to run the query while the events are within your logs.
Expected behavior
I expect this rule to fire when the logic is met.
Additional context
This appears to be a better version of the query:
//A variable to contain the actions we want to monitor
let kmsActions = dynamic(["kms:Encrypt", "kms:"]);
AWSCloudTrail
| where EventName in ("CreateKey", "PutKeyPolicy")
and isempty(ErrorCode)
and isempty(ErrorMessage)
| extend Statement = parse_json(tostring((parse_json(RequestParameters).policy))).Statement
| mvexpand Statement
| extend
Action = tostring(parse_json(Statement).Action),
Effect = tostring(parse_json(Statement).Effect),
Principal = iff(isnotempty(tostring(parse_json(Statement).Principal.AWS)), tostring(parse_json(Statement).Principal.AWS), tostring(parse_json(Statement).Principal))
| where Effect =~ "Allow"
//This is where it is attempting to match the exact values contained within the array:
// and (Action == "kms:Encrypt" or Action == "kms:")
//This is the change I have made.
and Action has_any (kmsActions)
and Principal == "*"
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case(UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend
AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
| extend timestamp = TimeGenerated
The text was updated successfully, but these errors were encountered:
Describe the bug
In the analytics rule named Suspicious overly permissive KMS key policy created, it doesn't appear to alert on any of the activity. It appears that this is due to attempting to match (using ==) kms:Encrypt or kms:* while these values are contained within an array.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
I expect this rule to fire when the logic is met.
Additional context
This appears to be a better version of the query:
//A variable to contain the actions we want to monitor
let kmsActions = dynamic(["kms:Encrypt", "kms:"]);
AWSCloudTrail
| where EventName in ("CreateKey", "PutKeyPolicy")
and isempty(ErrorCode)
and isempty(ErrorMessage)
| extend Statement = parse_json(tostring((parse_json(RequestParameters).policy))).Statement
| mvexpand Statement
| extend
Action = tostring(parse_json(Statement).Action),
Effect = tostring(parse_json(Statement).Effect),
Principal = iff(isnotempty(tostring(parse_json(Statement).Principal.AWS)), tostring(parse_json(Statement).Principal.AWS), tostring(parse_json(Statement).Principal))
| where Effect =~ "Allow"
//This is where it is attempting to match the exact values contained within the array:
// and (Action == "kms:Encrypt" or Action == "kms:")
//This is the change I have made.
and Action has_any (kmsActions)
and Principal == "*"
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case(UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend
AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
| extend timestamp = TimeGenerated
The text was updated successfully, but these errors were encountered: