New service account gained access to IaaS resource
Id | 6c17f270-cd56-48cc-9196-1728ffea6538 |
Rulename | New service account gained access to IaaS resource |
Description | This policy detects when an application or service account gained new access to your assets. This policy is defined by Authomize and can be edited to change the configuration. |
Severity | Informational |
Tactics | InitialAccess |
Techniques | T1078 |
Required data connectors | Authomize |
Kind | Scheduled |
Query frequency | 30m |
Query period | 30m |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/New_service_account_gained_access_to_IaaS_resource.yaml |
Version | 1.0.3 |
Arm template | 6c17f270-cd56-48cc-9196-1728ffea6538.json |
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "New service account gained access to IaaS resource"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
status: Available
relevantTechniques:
- T1078
incidentConfiguration:
createIncident: true
groupingConfiguration:
lookbackDuration: 5h
enabled: true
groupByAlertDetails: []
reopenClosedIncident: false
groupByEntities: []
groupByCustomDetails: []
matchingMethod: AnyAlert
requiredDataConnectors:
- dataTypes:
- Authomize_v2_CL
connectorId: Authomize
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/New_service_account_gained_access_to_IaaS_resource.yaml
triggerOperator: gt
id: 6c17f270-cd56-48cc-9196-1728ffea6538
description: This policy detects when an application or service account gained new access to your assets. This policy is defined by Authomize and can be edited to change the configuration.
eventGroupingSettings:
aggregationKind: SingleAlert
queryPeriod: 30m
alertDetailsOverride:
alertnameFormat: Alert from Authomize - New service account gained access to IaaS resource
alertDescriptionFormat: New service account gained access to IaaS resource. This policy detects when an application or service account gained new access to your assets. This policy is defined by Authomize and can be edited to change the configuration.
alertTactics: Tactics
alertSeverity: Severity
alertDynamicProperties:
- alertProperty: AlertLink
value: URL
kind: Scheduled
suppressionDuration: 5h
name: New service account gained access to IaaS resource
triggerThreshold: 0
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "New service account gained access to IaaS resource"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
tactics:
- InitialAccess
version: 1.0.3
severity: Informational
entityMappings:
- entityType: URL
fieldMappings:
- columnName: URL
identifier: Url
suppressionEnabled: false
queryFrequency: 30m
customDetails:
EventDescription: Description
EventRecommendation: Recommendation
ReferencedURL: URL
EventName: Policy
AuthomizeEventID: EventID
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6c17f270-cd56-48cc-9196-1728ffea6538')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6c17f270-cd56-48cc-9196-1728ffea6538')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "New service account gained access to IaaS resource. This policy detects when an application or service account gained new access to your assets. This policy is defined by Authomize and can be edited to change the configuration.",
"alertDynamicProperties": [
{
"alertProperty": "AlertLink",
"value": "URL"
}
],
"alertnameFormat": "Alert from Authomize - New service account gained access to IaaS resource",
"alertSeverity": "Severity",
"alertTactics": "Tactics"
},
"alertRuleTemplateName": "6c17f270-cd56-48cc-9196-1728ffea6538",
"customDetails": {
"AuthomizeEventID": "EventID",
"EventDescription": "Description",
"EventName": "Policy",
"EventRecommendation": "Recommendation",
"ReferencedURL": "URL"
},
"description": "This policy detects when an application or service account gained new access to your assets. This policy is defined by Authomize and can be edited to change the configuration.",
"displayName": "New service account gained access to IaaS resource",
"enabled": true,
"entityMappings": [
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "URL",
"identifier": "Url"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"groupByAlertDetails": [],
"groupByCustomDetails": [],
"groupByEntities": [],
"lookbackDuration": "PT5H",
"matchingMethod": "AnyAlert",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/New_service_account_gained_access_to_IaaS_resource.yaml",
"query": "Authomize_v2_CL\n| where ingestion_time() >= ago(30m)\n| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s\n| where Policy has \"New service account gained access to IaaS resource\"\n| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics",
"queryFrequency": "PT30M",
"queryPeriod": "PT30M",
"severity": "Informational",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess"
],
"techniques": [
"T1078"
],
"templateVersion": "1.0.3",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}