New service account gained access to IaaS resource
Id | 6c17f270-cd56-48cc-9196-1728ffea6538 |
Rulename | New service account gained access to IaaS resource |
Description | This policy detects when an application or service account gained new access to your assets. This policy is defined by Authomize and can be edited to change the configuration. |
Severity | Informational |
Tactics | InitialAccess |
Required data connectors | Authomize |
Kind | Scheduled |
Query frequency | 30m |
Query period | 30m |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/New_service_account_gained_access_to_IaaS_resource.yaml |
Version | 1.0.2 |
Arm template | 6c17f270-cd56-48cc-9196-1728ffea6538.json |
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "New service account gained access to IaaS resource"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
customDetails:
EventName: Policy
ReferencedURL: URL
AuthomizeEventID: EventID
EventDescription: Description
EventRecommendation: Recommendation
triggerOperator: gt
suppressionDuration: 5h
description: This policy detects when an application or service account gained new access to your assets. This policy is defined by Authomize and can be edited to change the configuration.
status: Available
kind: Scheduled
triggerThreshold: 0
queryFrequency: 30m
incidentConfiguration:
createIncident: true
groupingConfiguration:
reopenClosedIncident: false
groupByCustomDetails: []
groupByEntities: []
groupByAlertDetails: []
lookbackDuration: 5h
matchingMethod: AnyAlert
enabled: true
version: 1.0.2
eventGroupingSettings:
aggregationKind: SingleAlert
queryPeriod: 30m
name: New service account gained access to IaaS resource
suppressionEnabled: false
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/New_service_account_gained_access_to_IaaS_resource.yaml
id: 6c17f270-cd56-48cc-9196-1728ffea6538
alertDetailsOverride:
alertnameFormat: Alert from Authomize - New service account gained access to IaaS resource
alertTactics: Tactics
alertDynamicProperties:
- value: URL
alertProperty: AlertLink
alertSeverity: Severity
alertDescriptionFormat: New service account gained access to IaaS resource. This policy detects when an application or service account gained new access to your assets. This policy is defined by Authomize and can be edited to change the configuration.
tactics:
- InitialAccess
severity: Informational
entityMappings:
- fieldMappings:
- identifier: Url
columnName: URL
entityType: URL
requiredDataConnectors:
- connectorId: Authomize
dataTypes:
- Authomize_v2_CL
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "New service account gained access to IaaS resource"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6c17f270-cd56-48cc-9196-1728ffea6538')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6c17f270-cd56-48cc-9196-1728ffea6538')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "New service account gained access to IaaS resource. This policy detects when an application or service account gained new access to your assets. This policy is defined by Authomize and can be edited to change the configuration.",
"alertDynamicProperties": [
{
"alertProperty": "AlertLink",
"value": "URL"
}
],
"alertnameFormat": "Alert from Authomize - New service account gained access to IaaS resource",
"alertSeverity": "Severity",
"alertTactics": "Tactics"
},
"alertRuleTemplateName": "6c17f270-cd56-48cc-9196-1728ffea6538",
"customDetails": {
"AuthomizeEventID": "EventID",
"EventDescription": "Description",
"EventName": "Policy",
"EventRecommendation": "Recommendation",
"ReferencedURL": "URL"
},
"description": "This policy detects when an application or service account gained new access to your assets. This policy is defined by Authomize and can be edited to change the configuration.",
"displayName": "New service account gained access to IaaS resource",
"enabled": true,
"entityMappings": [
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "URL",
"identifier": "Url"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"groupByAlertDetails": [],
"groupByCustomDetails": [],
"groupByEntities": [],
"lookbackDuration": "PT5H",
"matchingMethod": "AnyAlert",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/New_service_account_gained_access_to_IaaS_resource.yaml",
"query": "Authomize_v2_CL\n| where ingestion_time() >= ago(30m)\n| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s\n| where Policy has \"New service account gained access to IaaS resource\"\n| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics",
"queryFrequency": "PT30M",
"queryPeriod": "PT30M",
"severity": "Informational",
"status": "Available",
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess"
],
"templateVersion": "1.0.2",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}