Lateral Movement Risk - Role Chain Length
| Id | 25bef734-4399-4c55-9579-4ebabd9cccf6 |
| Rulename | Lateral Movement Risk - Role Chain Length |
| Description | The policy detects chains of more than 3 roles in the account, this is a misconfiguration that can enable lateral movement. |
| Severity | Informational |
| Tactics | PrivilegeEscalation Persistence |
| Techniques | T1098 |
| Required data connectors | Authomize |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 30m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/Chain_of_3_or_more_roles.yaml |
| Version | 1.0.3 |
| Arm template | 25bef734-4399-4c55-9579-4ebabd9cccf6.json |
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Chain of 3 or more roles"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
requiredDataConnectors:
- connectorId: Authomize
dataTypes:
- Authomize_v2_CL
status: Available
queryFrequency: 30m
id: 25bef734-4399-4c55-9579-4ebabd9cccf6
tactics:
- PrivilegeEscalation
- Persistence
suppressionDuration: 5h
entityMappings:
- fieldMappings:
- columnName: URL
identifier: Url
entityType: URL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/Chain_of_3_or_more_roles.yaml
alertDetailsOverride:
alertDynamicProperties:
- value: URL
alertProperty: AlertLink
alertSeverity: Severity
alertDescriptionFormat: Account can elevate privileges by assuming a role. The policy detects chains of more than 3 roles in the account, this is a misconfiguration that can enable lateral movement.
alertTactics: Tactics
alertnameFormat: Alert from Authomize - Account can elevate privileges by assuming a role
eventGroupingSettings:
aggregationKind: SingleAlert
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Chain of 3 or more roles"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
kind: Scheduled
suppressionEnabled: false
relevantTechniques:
- T1098
name: Lateral Movement Risk - Role Chain Length
customDetails:
ReferencedURL: URL
AuthomizeEventID: EventID
EventName: Policy
EventRecommendation: Recommendation
EventDescription: Description
triggerThreshold: 0
queryPeriod: 30m
triggerOperator: gt
description: The policy detects chains of more than 3 roles in the account, this is a misconfiguration that can enable lateral movement.
incidentConfiguration:
groupingConfiguration:
enabled: true
matchingMethod: AnyAlert
reopenClosedIncident: false
lookbackDuration: 5h
groupByEntities: []
groupByCustomDetails: []
groupByAlertDetails: []
createIncident: true
severity: Informational
version: 1.0.3