AWS IAM Group Read Only Events

Severity: informational
Group by: userIdentity.arn
Log types: AWS.CloudTrail
Tags: AWS, Cloudtrail, Configuration Required, IAM, MITRE
Reference: https://attack.mitre.org/techniques/T1069/
Source: github.com/panther-labs/panther-analysis

This rule captures multiple read/list events related to IAM group management in AWS Cloudtrail.

MITRE ATT&CK coverage

Tactic	Techniques
Discovery	`T1069` Permission Groups Discovery

Rules detecting the same action

Other rules on this platform that filter on the same API call or operation.

AWS Discovery API Calls from VPN ASN for the First Time by Identity (Elastic)
Many Recon Events (Sigma)

Rule body yaml

AnalysisType: rule
Description: This rule captures multiple read/list events related to IAM group management in AWS Cloudtrail.
DisplayName: "AWS IAM Group Read Only Events"
Enabled: false
Filename: aws_iam_group_read_only_events.py
Reference: https://attack.mitre.org/techniques/T1069/
Runbook: Examine other activities done by this user to determine whether or not activity is suspicious.
Severity: Info
CreateAlert: false
Tags:
  - AWS
  - Cloudtrail
  - Configuration Required
  - IAM
  - MITRE
Tests:
  - ExpectedResult: true
    Log:
      awsRegion: us-east-1
      eventCategory: Management
      eventID: 883efb94-aa58-4512-beb7-10a5fffa33e4
      eventName: GetGroup
      eventSource: iam.amazonaws.com
      eventTime: "2022-12-11 19:42:55"
      eventType: AwsApiCall
      eventVersion: "1.08"
      managementEvent: true
      readOnly: true
      recipientAccountId: "1231231234"
      requestID: f92dd1a7-ad07-4fef-9511-1081d2dd3585
      requestParameters:
        maxItems: 1000
        userName: user-name
      sourceIPAddress: cloudformation.amazonaws.com
      userAgent: cloudformation.amazonaws.com
      userIdentity:
        accessKeyId: ASIAVKVYIOO7BDL4T5NG
        accountId: "1231231234"
        arn: arn:aws:sts::1231231234:assumed-role/AssumedRole-us-east-2/123123123456
        invokedBy: cloudformation.amazonaws.com
        principalId: AROAVKVYIOO7JN7TN7NSA:123123123456
        sessionContext:
          attributes:
            creationDate: "2022-12-11T19:42:54Z"
            mfaAuthenticated: "false"
          sessionIssuer:
            accountId: "1231231234"
            arn: arn:aws:iam::1231231234:role/PAssumedRole-us-east-2
            principalId: AROAVKVYIOO7JN7TN7NSA
            type: Role
            userName: AssumedRole-us-east-2
          webIdFederationData: {}
        type: AssumedRole
    Name: Get Group
  - ExpectedResult: true
    Log:
      awsRegion: us-east-1
      eventCategory: Management
      eventID: 883efb94-aa58-4512-beb7-10a5fffa33e4
      eventName: GetGroupPolicy
      eventSource: iam.amazonaws.com
      eventTime: "2022-12-11 19:42:55"
      eventType: AwsApiCall
      eventVersion: "1.08"
      managementEvent: true
      readOnly: true
      recipientAccountId: "1231231234"
      requestID: f92dd1a7-ad07-4fef-9511-1081d2dd3585
      requestParameters:
        maxItems: 1000
        userName: user-name
      sourceIPAddress: cloudformation.amazonaws.com
      userAgent: cloudformation.amazonaws.com
      userIdentity:
        accessKeyId: ASIAVKVYIOO7BDL4T5NG
        accountId: "1231231234"
        arn: arn:aws:sts::1231231234:assumed-role/AssumedRole-us-east-2/123123123456
        invokedBy: cloudformation.amazonaws.com
        principalId: AROAVKVYIOO7JN7TN7NSA:123123123456
        sessionContext:
          attributes:
            creationDate: "2022-12-11T19:42:54Z"
            mfaAuthenticated: "false"
          sessionIssuer:
            accountId: "1231231234"
            arn: arn:aws:iam::1231231234:role/PAssumedRole-us-east-2
            principalId: AROAVKVYIOO7JN7TN7NSA
            type: Role
            userName: AssumedRole-us-east-2
          webIdFederationData: {}
        type: AssumedRole
    Name: Get Group Policy
  - ExpectedResult: true
    Log:
      awsRegion: us-east-1
      eventCategory: Management
      eventID: 883efb94-aa58-4512-beb7-10a5fffa33e4
      eventName: ListAttachedGroupPolicies
      eventSource: iam.amazonaws.com
      eventTime: "2022-12-11 19:42:55"
      eventType: AwsApiCall
      eventVersion: "1.08"
      managementEvent: true
      readOnly: true
      recipientAccountId: "1231231234"
      requestID: f92dd1a7-ad07-4fef-9511-1081d2dd3585
      requestParameters:
        maxItems: 1000
        userName: user-name
      sourceIPAddress: cloudformation.amazonaws.com
      userAgent: cloudformation.amazonaws.com
      userIdentity:
        accessKeyId: ASIAVKVYIOO7BDL4T5NG
        accountId: "1231231234"
        arn: arn:aws:sts::1231231234:assumed-role/AssumedRole-us-east-2/123123123456
        invokedBy: cloudformation.amazonaws.com
        principalId: AROAVKVYIOO7JN7TN7NSA:123123123456
        sessionContext:
          attributes:
            creationDate: "2022-12-11T19:42:54Z"
            mfaAuthenticated: "false"
          sessionIssuer:
            accountId: "1231231234"
            arn: arn:aws:iam::1231231234:role/PAssumedRole-us-east-2
            principalId: AROAVKVYIOO7JN7TN7NSA
            type: Role
            userName: AssumedRole-us-east-2
          webIdFederationData: {}
        type: AssumedRole
    Name: List Attached Group Policies
  - ExpectedResult: true
    Log:
      awsRegion: us-east-1
      eventCategory: Management
      eventID: 883efb94-aa58-4512-beb7-10a5fffa33e4
      eventName: ListGroups
      eventSource: iam.amazonaws.com
      eventTime: "2022-12-11 19:42:55"
      eventType: AwsApiCall
      eventVersion: "1.08"
      managementEvent: true
      readOnly: true
      recipientAccountId: "1231231234"
      requestID: f92dd1a7-ad07-4fef-9511-1081d2dd3585
      requestParameters:
        maxItems: 1000
        userName: user-name
      sourceIPAddress: cloudformation.amazonaws.com
      userAgent: cloudformation.amazonaws.com
      userIdentity:
        accessKeyId: ASIAVKVYIOO7BDL4T5NG
        accountId: "1231231234"
        arn: arn:aws:sts::1231231234:assumed-role/AssumedRole-us-east-2/123123123456
        invokedBy: cloudformation.amazonaws.com
        principalId: AROAVKVYIOO7JN7TN7NSA:123123123456
        sessionContext:
          attributes:
            creationDate: "2022-12-11T19:42:54Z"
            mfaAuthenticated: "false"
          sessionIssuer:
            accountId: "1231231234"
            arn: arn:aws:iam::1231231234:role/PAssumedRole-us-east-2
            principalId: AROAVKVYIOO7JN7TN7NSA
            type: Role
            userName: AssumedRole-us-east-2
          webIdFederationData: {}
        type: AssumedRole
    Name: List Groups
  - ExpectedResult: true
    Log:
      awsRegion: us-east-1
      eventCategory: Management
      eventID: 883efb94-aa58-4512-beb7-10a5fffa33e4
      eventName: ListGroupsForUser
      eventSource: iam.amazonaws.com
      eventTime: "2022-12-11 19:42:55"
      eventType: AwsApiCall
      eventVersion: "1.08"
      managementEvent: true
      readOnly: true
      recipientAccountId: "1231231234"
      requestID: f92dd1a7-ad07-4fef-9511-1081d2dd3585
      requestParameters:
        maxItems: 1000
        userName: user-name
      sourceIPAddress: cloudformation.amazonaws.com
      userAgent: cloudformation.amazonaws.com
      userIdentity:
        accessKeyId: ASIAVKVYIOO7BDL4T5NG
        accountId: "1231231234"
        arn: arn:aws:sts::1231231234:assumed-role/AssumedRole-us-east-2/123123123456
        invokedBy: cloudformation.amazonaws.com
        principalId: AROAVKVYIOO7JN7TN7NSA:123123123456
        sessionContext:
          attributes:
            creationDate: "2022-12-11T19:42:54Z"
            mfaAuthenticated: "false"
          sessionIssuer:
            accountId: "1231231234"
            arn: arn:aws:iam::1231231234:role/PAssumedRole-us-east-2
            principalId: AROAVKVYIOO7JN7TN7NSA
            type: Role
            userName: AssumedRole-us-east-2
          webIdFederationData: {}
        type: AssumedRole
    Name: List Groups for User
  - ExpectedResult: false
    Log:
      awsRegion: us-east-1
      eventCategory: Management
      eventID: 883efb94-aa58-4512-beb7-10a5fffa33e4
      eventName: DetachUserGroup
      eventSource: iam.amazonaws.com
      eventTime: "2022-12-11 19:42:55"
      eventType: AwsApiCall
      eventVersion: "1.08"
      managementEvent: true
      readOnly: true
      recipientAccountId: "1231231234"
      requestID: f92dd1a7-ad07-4fef-9511-1081d2dd3585
      requestParameters:
        maxItems: 1000
        userName: user-name
      sourceIPAddress: cloudformation.amazonaws.com
      userAgent: cloudformation.amazonaws.com
      userIdentity:
        accessKeyId: ASIAVKVYIOO7BDL4T5NG
        accountId: "1231231234"
        arn: arn:aws:sts::1231231234:assumed-role/AssumedRole-us-east-2/123123123456
        invokedBy: cloudformation.amazonaws.com
        principalId: AROAVKVYIOO7JN7TN7NSA:123123123456
        sessionContext:
          attributes:
            creationDate: "2022-12-11T19:42:54Z"
            mfaAuthenticated: "false"
          sessionIssuer:
            accountId: "1231231234"
            arn: arn:aws:iam::1231231234:role/PAssumedRole-us-east-2
            principalId: AROAVKVYIOO7JN7TN7NSA
            type: Role
            userName: AssumedRole-us-east-2
          webIdFederationData: {}
        type: AssumedRole
    Name: Detach User Group
DedupPeriodMinutes: 60
LogTypes:
  - AWS.CloudTrail
RuleID: "AWS.IAM.Group.Read.Only.Events"
Threshold: 2

Detection logic

Condition

userIdentity.arn not in
eventSource eq "iam.amazonaws.com"
eventName in ["GetGroup", "GetGroupPolicy", "ListAttachedGroupPolicies", "ListGroupPolicies", "ListGroups", "ListGroupsForUser"]

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

Field	Kind	Excluded values
`userIdentity.arn`	in	(no value, null check)

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`eventName`	in	`GetGroup` `GetGroupPolicy` `ListAttachedGroupPolicies` `ListGroupPolicies` `ListGroups` `ListGroupsForUser`
`eventSource`	eq	`iam.amazonaws.com`

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

Field	Source
`eventName`
`eventSource`
`awsRegion`
`recipientAccountId`
`sourceIPAddress`
`userAgent`
`userIdentity`
`arn`	`userIdentity.arn`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)