Privileged Machines Exposed to the Internet
| Id | 72891de4-da70-44e4-9984-35fcea98d000 |
| Rulename | Privileged Machines Exposed to the Internet |
| Description | These are AWS Ec2 machines that are exposed to the internet. You can further filter by tags so that you can, for example, find exposed machines that are also “privileged”. |
| Severity | High |
| Tactics | Discovery Impact |
| Techniques | T1580 |
| Required data connectors | Authomize |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 30m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/Privileged_Machines_Exposed_to_the_Internet.yaml |
| Version | 1.0.2 |
| Arm template | 72891de4-da70-44e4-9984-35fcea98d000.json |
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Privileged Machines Exposed to the Internet"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
requiredDataConnectors:
- connectorId: Authomize
dataTypes:
- Authomize_v2_CL
relevantTechniques:
- T1580
name: Privileged Machines Exposed to the Internet
queryFrequency: 30m
incidentConfiguration:
groupingConfiguration:
groupByEntities: []
matchingMethod: AnyAlert
enabled: true
groupByCustomDetails: []
lookbackDuration: 5h
groupByAlertDetails: []
reopenClosedIncident: false
createIncident: true
triggerThreshold: 0
severity: High
alertDetailsOverride:
alertTactics: Tactics
alertnameFormat: Alert from Authomize - Privileged Machines Exposed to the Internet
alertSeverity: Severity
alertDynamicProperties:
- alertProperty: AlertLink
value: URL
alertDescriptionFormat: Privileged Machines Exposed to the Internet. These are AWS Ec2 machines that are exposed to the internet. You can further filter by tags so that you can, for example, find exposed machines that are also "privileged".
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Privileged Machines Exposed to the Internet"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
tactics:
- Discovery
- Impact
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/Privileged_Machines_Exposed_to_the_Internet.yaml
version: 1.0.2
kind: Scheduled
entityMappings:
- fieldMappings:
- columnName: URL
identifier: Url
entityType: URL
queryPeriod: 30m
triggerOperator: gt
customDetails:
EventRecommendation: Recommendation
AuthomizeEventID: EventID
EventName: Policy
ReferencedURL: URL
EventDescription: Description
suppressionEnabled: false
eventGroupingSettings:
aggregationKind: SingleAlert
id: 72891de4-da70-44e4-9984-35fcea98d000
suppressionDuration: 5h
status: Available
description: These are AWS Ec2 machines that are exposed to the internet. You can further filter by tags so that you can, for example, find exposed machines that are also "privileged".