Privileged Machines Exposed to the Internet
| Id | 72891de4-da70-44e4-9984-35fcea98d000 |
| Rulename | Privileged Machines Exposed to the Internet |
| Description | These are AWS Ec2 machines that are exposed to the internet. You can further filter by tags so that you can, for example, find exposed machines that are also “privileged”. |
| Severity | High |
| Tactics | Discovery Impact |
| Techniques | T1580 |
| Required data connectors | Authomize |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 30m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/Privileged_Machines_Exposed_to_the_Internet.yaml |
| Version | 1.0.2 |
| Arm template | 72891de4-da70-44e4-9984-35fcea98d000.json |
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Privileged Machines Exposed to the Internet"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
suppressionEnabled: false
relevantTechniques:
- T1580
incidentConfiguration:
groupingConfiguration:
groupByCustomDetails: []
reopenClosedIncident: false
enabled: true
matchingMethod: AnyAlert
groupByEntities: []
lookbackDuration: 5h
groupByAlertDetails: []
createIncident: true
requiredDataConnectors:
- connectorId: Authomize
dataTypes:
- Authomize_v2_CL
version: 1.0.2
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/Privileged_Machines_Exposed_to_the_Internet.yaml
suppressionDuration: 5h
description: These are AWS Ec2 machines that are exposed to the internet. You can further filter by tags so that you can, for example, find exposed machines that are also "privileged".
customDetails:
EventDescription: Description
EventRecommendation: Recommendation
ReferencedURL: URL
AuthomizeEventID: EventID
EventName: Policy
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Privileged Machines Exposed to the Internet"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
triggerOperator: gt
alertDetailsOverride:
alertnameFormat: Alert from Authomize - Privileged Machines Exposed to the Internet
alertTactics: Tactics
alertDescriptionFormat: Privileged Machines Exposed to the Internet. These are AWS Ec2 machines that are exposed to the internet. You can further filter by tags so that you can, for example, find exposed machines that are also "privileged".
alertDynamicProperties:
- alertProperty: AlertLink
value: URL
alertSeverity: Severity
eventGroupingSettings:
aggregationKind: SingleAlert
id: 72891de4-da70-44e4-9984-35fcea98d000
queryFrequency: 30m
entityMappings:
- fieldMappings:
- columnName: URL
identifier: Url
entityType: URL
severity: High
status: Available
queryPeriod: 30m
name: Privileged Machines Exposed to the Internet
tactics:
- Discovery
- Impact
kind: Scheduled