Description
Describe the bug
In the analytics rule named Suspicious overly permissive KMS key policy created, it doesn't appear to alert on any of the activity. It appears that this is due to attempting to match (using ==) kms:Encrypt or kms:* while these values are contained within an array.
To Reproduce
Steps to reproduce the behavior:
- Go to Sentinel -> Analytics Rules
- Click on Suspicious overly permissive KMS key policy created
- Navigate to the Query logic
- Attempt to run the query while the events are within your logs.
Expected behavior
I expect this rule to fire when the logic is met.
Additional context
This appears to be a better version of the query:
//A variable to contain the actions we want to monitor
let kmsActions = dynamic(["kms:Encrypt", "kms:"]);
AWSCloudTrail
| where EventName in ("CreateKey", "PutKeyPolicy")
and isempty(ErrorCode)
and isempty(ErrorMessage)
| extend Statement = parse_json(tostring((parse_json(RequestParameters).policy))).Statement
| mvexpand Statement
| extend
Action = tostring(parse_json(Statement).Action),
Effect = tostring(parse_json(Statement).Effect),
Principal = iff(isnotempty(tostring(parse_json(Statement).Principal.AWS)), tostring(parse_json(Statement).Principal.AWS), tostring(parse_json(Statement).Principal))
| where Effect =~ "Allow"
//This is where it is attempting to match the exact values contained within the array:
// and (Action == "kms:Encrypt" or Action == "kms:")
//This is the change I have made.
and Action has_any (kmsActions)
and Principal == "*"
| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)
| extend UserName = tostring(split(UserIdentityArn, '/')[-1])
| extend AccountName = case(UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName)
| extend
AccountName = iif(AccountName contains "@", tostring(split(AccountName, '@', 0)[0]), AccountName),
AccountUPNSuffix = iif(AccountName contains "@", tostring(split(AccountName, '@', 1)[0]), "")
| extend timestamp = TimeGenerated
