AWS S3 Bucket Policy Updates

# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: AWS S3 Bucket Policy Updates

# Description of what the query does and its purpose.
description: This query outputs all S3 buckets where the policy has been modified.

# The author or team that created the query.
author: ByteRay GmbH

# The required log sources to run this query successfully in Next-Gen SIEM.
# This will be displayed in the UI to inform the user.
log_sources:
  - Cloud

# Tags for filtering and categorization.
# Include relevant techniques, tactics, or platforms.
tags:
  - Monitoring

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  #Vendor="aws" #event.dataset="cloudtrail.s3" #repo!="xdr*"
  | #event.kind="event" #event.outcome="success"
  | event.action="PutBucketPolicy"
  | cloud.Storage.bucket_name =~ in(values=[?BucketName])
  | cloud.account.id =~ in(values=[?AwsAccount])
  | UserARN := getField("Vendor.userIdentity.arn")
  | BucketName := getField("cloud.Storage.bucket_name")
  | select(["@timestamp","BucketName", "UserARN"])

# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
explanation: |
  AWS PutBucketPolicy: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketPolicy.html