New service account gained access to IaaS resource
Id | 6c17f270-cd56-48cc-9196-1728ffea6538 |
Rulename | New service account gained access to IaaS resource |
Description | This policy detects when an application or service account gained new access to your assets. This policy is defined by Authomize and can be edited to change the configuration. |
Severity | Informational |
Tactics | InitialAccess |
Required data connectors | Authomize |
Kind | Scheduled |
Query frequency | 30m |
Query period | 30m |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/New_service_account_gained_access_to_IaaS_resource.yaml |
Version | 1.0.2 |
Arm template | 6c17f270-cd56-48cc-9196-1728ffea6538.json |
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "New service account gained access to IaaS resource"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
severity: Informational
queryFrequency: 30m
kind: Scheduled
version: 1.0.2
triggerOperator: gt
description: This policy detects when an application or service account gained new access to your assets. This policy is defined by Authomize and can be edited to change the configuration.
incidentConfiguration:
createIncident: true
groupingConfiguration:
lookbackDuration: 5h
groupByEntities: []
reopenClosedIncident: false
enabled: true
matchingMethod: AnyAlert
groupByAlertDetails: []
groupByCustomDetails: []
queryPeriod: 30m
id: 6c17f270-cd56-48cc-9196-1728ffea6538
suppressionEnabled: false
status: Available
suppressionDuration: 5h
alertDetailsOverride:
alertSeverity: Severity
alertDescriptionFormat: New service account gained access to IaaS resource. This policy detects when an application or service account gained new access to your assets. This policy is defined by Authomize and can be edited to change the configuration.
alertDynamicProperties:
- alertProperty: AlertLink
value: URL
alertTactics: Tactics
alertnameFormat: Alert from Authomize - New service account gained access to IaaS resource
customDetails:
EventDescription: Description
EventRecommendation: Recommendation
EventName: Policy
ReferencedURL: URL
AuthomizeEventID: EventID
tactics:
- InitialAccess
name: New service account gained access to IaaS resource
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/New_service_account_gained_access_to_IaaS_resource.yaml
eventGroupingSettings:
aggregationKind: SingleAlert
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "New service account gained access to IaaS resource"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
requiredDataConnectors:
- dataTypes:
- Authomize_v2_CL
connectorId: Authomize
entityMappings:
- entityType: URL
fieldMappings:
- columnName: URL
identifier: Url
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6c17f270-cd56-48cc-9196-1728ffea6538')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6c17f270-cd56-48cc-9196-1728ffea6538')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "New service account gained access to IaaS resource. This policy detects when an application or service account gained new access to your assets. This policy is defined by Authomize and can be edited to change the configuration.",
"alertDynamicProperties": [
{
"alertProperty": "AlertLink",
"value": "URL"
}
],
"alertnameFormat": "Alert from Authomize - New service account gained access to IaaS resource",
"alertSeverity": "Severity",
"alertTactics": "Tactics"
},
"alertRuleTemplateName": "6c17f270-cd56-48cc-9196-1728ffea6538",
"customDetails": {
"AuthomizeEventID": "EventID",
"EventDescription": "Description",
"EventName": "Policy",
"EventRecommendation": "Recommendation",
"ReferencedURL": "URL"
},
"description": "This policy detects when an application or service account gained new access to your assets. This policy is defined by Authomize and can be edited to change the configuration.",
"displayName": "New service account gained access to IaaS resource",
"enabled": true,
"entityMappings": [
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "URL",
"identifier": "Url"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"groupByAlertDetails": [],
"groupByCustomDetails": [],
"groupByEntities": [],
"lookbackDuration": "PT5H",
"matchingMethod": "AnyAlert",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/New_service_account_gained_access_to_IaaS_resource.yaml",
"query": "Authomize_v2_CL\n| where ingestion_time() >= ago(30m)\n| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s\n| where Policy has \"New service account gained access to IaaS resource\"\n| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics",
"queryFrequency": "PT30M",
"queryPeriod": "PT30M",
"severity": "Informational",
"status": "Available",
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess"
],
"templateVersion": "1.0.2",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}