New service account gained access to IaaS resource
Id | 6c17f270-cd56-48cc-9196-1728ffea6538 |
Rulename | New service account gained access to IaaS resource |
Description | This policy detects when an application or service account gained new access to your assets. This policy is defined by Authomize and can be edited to change the configuration. |
Severity | Informational |
Tactics | InitialAccess |
Techniques | T1078 |
Required data connectors | Authomize |
Kind | Scheduled |
Query frequency | 30m |
Query period | 30m |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/New_service_account_gained_access_to_IaaS_resource.yaml |
Version | 1.0.3 |
Arm template | 6c17f270-cd56-48cc-9196-1728ffea6538.json |
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "New service account gained access to IaaS resource"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
queryPeriod: 30m
suppressionEnabled: false
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "New service account gained access to IaaS resource"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
eventGroupingSettings:
aggregationKind: SingleAlert
tactics:
- InitialAccess
customDetails:
EventDescription: Description
EventName: Policy
AuthomizeEventID: EventID
ReferencedURL: URL
EventRecommendation: Recommendation
entityMappings:
- fieldMappings:
- identifier: Url
columnName: URL
entityType: URL
relevantTechniques:
- T1078
kind: Scheduled
triggerThreshold: 0
incidentConfiguration:
createIncident: true
groupingConfiguration:
groupByEntities: []
reopenClosedIncident: false
groupByAlertDetails: []
groupByCustomDetails: []
lookbackDuration: 5h
enabled: true
matchingMethod: AnyAlert
severity: Informational
id: 6c17f270-cd56-48cc-9196-1728ffea6538
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/New_service_account_gained_access_to_IaaS_resource.yaml
version: 1.0.3
description: This policy detects when an application or service account gained new access to your assets. This policy is defined by Authomize and can be edited to change the configuration.
triggerOperator: gt
alertDetailsOverride:
alertTactics: Tactics
alertDescriptionFormat: New service account gained access to IaaS resource. This policy detects when an application or service account gained new access to your assets. This policy is defined by Authomize and can be edited to change the configuration.
alertDynamicProperties:
- value: URL
alertProperty: AlertLink
alertnameFormat: Alert from Authomize - New service account gained access to IaaS resource
alertSeverity: Severity
requiredDataConnectors:
- dataTypes:
- Authomize_v2_CL
connectorId: Authomize
name: New service account gained access to IaaS resource
suppressionDuration: 5h
status: Available
queryFrequency: 30m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6c17f270-cd56-48cc-9196-1728ffea6538')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6c17f270-cd56-48cc-9196-1728ffea6538')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "New service account gained access to IaaS resource. This policy detects when an application or service account gained new access to your assets. This policy is defined by Authomize and can be edited to change the configuration.",
"alertDynamicProperties": [
{
"alertProperty": "AlertLink",
"value": "URL"
}
],
"alertnameFormat": "Alert from Authomize - New service account gained access to IaaS resource",
"alertSeverity": "Severity",
"alertTactics": "Tactics"
},
"alertRuleTemplateName": "6c17f270-cd56-48cc-9196-1728ffea6538",
"customDetails": {
"AuthomizeEventID": "EventID",
"EventDescription": "Description",
"EventName": "Policy",
"EventRecommendation": "Recommendation",
"ReferencedURL": "URL"
},
"description": "This policy detects when an application or service account gained new access to your assets. This policy is defined by Authomize and can be edited to change the configuration.",
"displayName": "New service account gained access to IaaS resource",
"enabled": true,
"entityMappings": [
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "URL",
"identifier": "Url"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"groupByAlertDetails": [],
"groupByCustomDetails": [],
"groupByEntities": [],
"lookbackDuration": "PT5H",
"matchingMethod": "AnyAlert",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/New_service_account_gained_access_to_IaaS_resource.yaml",
"query": "Authomize_v2_CL\n| where ingestion_time() >= ago(30m)\n| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s\n| where Policy has \"New service account gained access to IaaS resource\"\n| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics",
"queryFrequency": "PT30M",
"queryPeriod": "PT30M",
"severity": "Informational",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess"
],
"techniques": [
"T1078"
],
"templateVersion": "1.0.3",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}