Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

IaaS policy not attached to any identity

Back
Id57bae0c4-50b7-4552-9de9-19dfecddbace
RulenameIaaS policy not attached to any identity
DescriptionThe rule detects AWS policies that are not attached to any identities, meaning they can be deleted.
SeverityInformational
TacticsPrivilegeEscalation
Persistence
TechniquesT1098
Required data connectorsAuthomize
KindScheduled
Query frequency30m
Query period30m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/IaaS_policy_not_attached_to_any_identity.yaml
Version1.0.3
Arm template57bae0c4-50b7-4552-9de9-19dfecddbace.json
Deploy To Azure
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "IaaS policy not attached to any identity"
| project  EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
suppressionEnabled: false
customDetails:
  EventRecommendation: Recommendation
  AuthomizeEventID: EventID
  EventDescription: Description
  EventName: Policy
  ReferencedURL: URL
status: Available
id: 57bae0c4-50b7-4552-9de9-19dfecddbace
alertDetailsOverride:
  alertSeverity: Severity
  alertDescriptionFormat: IaaS policy not attached to any identity. The rule detects 'IaaS policies' attached to a role that has not used them during the past X days. It is recommended to remove unused policies from identities to reduce risk.
  alertTactics: Tactics
  alertDynamicProperties:
  - alertProperty: AlertLink
    value: URL
  alertnameFormat: Alert from Authomize - IaaS policy not attached to any identity
query: |-
  Authomize_v2_CL
  | where ingestion_time() >= ago(30m)
  | extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
  | where Policy has "IaaS policy not attached to any identity"
  | project  EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics  
suppressionDuration: 5h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/IaaS_policy_not_attached_to_any_identity.yaml
description: The rule detects AWS policies that are not attached to any identities, meaning they can be deleted.
name: IaaS policy not attached to any identity
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AnyAlert
    groupByEntities: []
    groupByAlertDetails: []
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: 5h
    groupByCustomDetails: []
  createIncident: true
relevantTechniques:
- T1098
entityMappings:
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: URL
triggerThreshold: 0
severity: Informational
requiredDataConnectors:
- dataTypes:
  - Authomize_v2_CL
  connectorId: Authomize
eventGroupingSettings:
  aggregationKind: SingleAlert
queryFrequency: 30m
queryPeriod: 30m
version: 1.0.3
kind: Scheduled
tactics:
- PrivilegeEscalation
- Persistence
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/57bae0c4-50b7-4552-9de9-19dfecddbace')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/57bae0c4-50b7-4552-9de9-19dfecddbace')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "IaaS policy not attached to any identity. The rule detects 'IaaS policies' attached to a role that has not used them during the past X days. It is recommended to remove unused policies from identities to reduce risk.",
          "alertDynamicProperties": [
            {
              "alertProperty": "AlertLink",
              "value": "URL"
            }
          ],
          "alertnameFormat": "Alert from Authomize - IaaS policy not attached to any identity",
          "alertSeverity": "Severity",
          "alertTactics": "Tactics"
        },
        "alertRuleTemplateName": "57bae0c4-50b7-4552-9de9-19dfecddbace",
        "customDetails": {
          "AuthomizeEventID": "EventID",
          "EventDescription": "Description",
          "EventName": "Policy",
          "EventRecommendation": "Recommendation",
          "ReferencedURL": "URL"
        },
        "description": "The rule detects AWS policies that are not attached to any identities, meaning they can be deleted.",
        "displayName": "IaaS policy not attached to any identity",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "URL",
                "identifier": "Url"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT5H",
            "matchingMethod": "AnyAlert",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/IaaS_policy_not_attached_to_any_identity.yaml",
        "query": "Authomize_v2_CL\n| where ingestion_time() >= ago(30m)\n| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s\n| where Policy has \"IaaS policy not attached to any identity\"\n| project  EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics",
        "queryFrequency": "PT30M",
        "queryPeriod": "PT30M",
        "severity": "Informational",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1098"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}