IaaS policy not attached to any identity
| Id | 57bae0c4-50b7-4552-9de9-19dfecddbace |
| Rulename | IaaS policy not attached to any identity |
| Description | The rule detects AWS policies that are not attached to any identities, meaning they can be deleted. |
| Severity | Informational |
| Tactics | PrivilegeEscalation Persistence |
| Techniques | T1098 |
| Required data connectors | Authomize |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 30m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/IaaS_policy_not_attached_to_any_identity.yaml |
| Version | 1.0.3 |
| Arm template | 57bae0c4-50b7-4552-9de9-19dfecddbace.json |
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "IaaS policy not attached to any identity"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "IaaS policy not attached to any identity"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
status: Available
relevantTechniques:
- T1098
requiredDataConnectors:
- dataTypes:
- Authomize_v2_CL
connectorId: Authomize
version: 1.0.3
id: 57bae0c4-50b7-4552-9de9-19dfecddbace
name: IaaS policy not attached to any identity
tactics:
- PrivilegeEscalation
- Persistence
kind: Scheduled
entityMappings:
- fieldMappings:
- columnName: URL
identifier: Url
entityType: URL
suppressionEnabled: false
triggerThreshold: 0
alertDetailsOverride:
alertnameFormat: Alert from Authomize - IaaS policy not attached to any identity
alertDynamicProperties:
- value: URL
alertProperty: AlertLink
alertSeverity: Severity
alertDescriptionFormat: IaaS policy not attached to any identity. The rule detects 'IaaS policies' attached to a role that has not used them during the past X days. It is recommended to remove unused policies from identities to reduce risk.
alertTactics: Tactics
severity: Informational
customDetails:
EventRecommendation: Recommendation
EventDescription: Description
ReferencedURL: URL
EventName: Policy
AuthomizeEventID: EventID
queryPeriod: 30m
description: The rule detects AWS policies that are not attached to any identities, meaning they can be deleted.
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/IaaS_policy_not_attached_to_any_identity.yaml
eventGroupingSettings:
aggregationKind: SingleAlert
incidentConfiguration:
createIncident: true
groupingConfiguration:
groupByEntities: []
reopenClosedIncident: false
enabled: true
groupByAlertDetails: []
groupByCustomDetails: []
matchingMethod: AnyAlert
lookbackDuration: 5h
suppressionDuration: 5h
queryFrequency: 30m