Privileged Machines Exposed to the Internet
| Id | 72891de4-da70-44e4-9984-35fcea98d000 |
| Rulename | Privileged Machines Exposed to the Internet |
| Description | These are AWS Ec2 machines that are exposed to the internet. You can further filter by tags so that you can, for example, find exposed machines that are also “privileged”. |
| Severity | High |
| Tactics | Discovery Impact |
| Techniques | T1580 |
| Required data connectors | Authomize |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 30m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/Privileged_Machines_Exposed_to_the_Internet.yaml |
| Version | 1.0.2 |
| Arm template | 72891de4-da70-44e4-9984-35fcea98d000.json |
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Privileged Machines Exposed to the Internet"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
entityMappings:
- fieldMappings:
- identifier: Url
columnName: URL
entityType: URL
kind: Scheduled
severity: High
relevantTechniques:
- T1580
tactics:
- Discovery
- Impact
id: 72891de4-da70-44e4-9984-35fcea98d000
alertDetailsOverride:
alertSeverity: Severity
alertDynamicProperties:
- alertProperty: AlertLink
value: URL
alertDescriptionFormat: Privileged Machines Exposed to the Internet. These are AWS Ec2 machines that are exposed to the internet. You can further filter by tags so that you can, for example, find exposed machines that are also "privileged".
alertnameFormat: Alert from Authomize - Privileged Machines Exposed to the Internet
alertTactics: Tactics
requiredDataConnectors:
- dataTypes:
- Authomize_v2_CL
connectorId: Authomize
name: Privileged Machines Exposed to the Internet
queryFrequency: 30m
triggerThreshold: 0
version: 1.0.2
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/Privileged_Machines_Exposed_to_the_Internet.yaml
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Privileged Machines Exposed to the Internet"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
eventGroupingSettings:
aggregationKind: SingleAlert
queryPeriod: 30m
incidentConfiguration:
createIncident: true
groupingConfiguration:
groupByAlertDetails: []
groupByCustomDetails: []
enabled: true
groupByEntities: []
lookbackDuration: 5h
matchingMethod: AnyAlert
reopenClosedIncident: false
suppressionDuration: 5h
status: Available
triggerOperator: gt
description: These are AWS Ec2 machines that are exposed to the internet. You can further filter by tags so that you can, for example, find exposed machines that are also "privileged".
customDetails:
EventDescription: Description
AuthomizeEventID: EventID
EventName: Policy
ReferencedURL: URL
EventRecommendation: Recommendation
suppressionEnabled: false