Privileged Machines Exposed to the Internet
| Id | 72891de4-da70-44e4-9984-35fcea98d000 |
| Rulename | Privileged Machines Exposed to the Internet |
| Description | These are AWS Ec2 machines that are exposed to the internet. You can further filter by tags so that you can, for example, find exposed machines that are also “privileged”. |
| Severity | High |
| Tactics | Discovery Impact |
| Techniques | T1580 |
| Required data connectors | Authomize |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 30m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/Privileged_Machines_Exposed_to_the_Internet.yaml |
| Version | 1.0.2 |
| Arm template | 72891de4-da70-44e4-9984-35fcea98d000.json |
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Privileged Machines Exposed to the Internet"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
customDetails:
EventDescription: Description
EventName: Policy
AuthomizeEventID: EventID
ReferencedURL: URL
EventRecommendation: Recommendation
name: Privileged Machines Exposed to the Internet
relevantTechniques:
- T1580
id: 72891de4-da70-44e4-9984-35fcea98d000
suppressionEnabled: false
requiredDataConnectors:
- dataTypes:
- Authomize_v2_CL
connectorId: Authomize
eventGroupingSettings:
aggregationKind: SingleAlert
version: 1.0.2
severity: High
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/Privileged_Machines_Exposed_to_the_Internet.yaml
queryPeriod: 30m
entityMappings:
- fieldMappings:
- identifier: Url
columnName: URL
entityType: URL
incidentConfiguration:
groupingConfiguration:
groupByAlertDetails: []
lookbackDuration: 5h
reopenClosedIncident: false
groupByCustomDetails: []
groupByEntities: []
matchingMethod: AnyAlert
enabled: true
createIncident: true
queryFrequency: 30m
suppressionDuration: 5h
alertDetailsOverride:
alertnameFormat: Alert from Authomize - Privileged Machines Exposed to the Internet
alertSeverity: Severity
alertDynamicProperties:
- value: URL
alertProperty: AlertLink
alertDescriptionFormat: Privileged Machines Exposed to the Internet. These are AWS Ec2 machines that are exposed to the internet. You can further filter by tags so that you can, for example, find exposed machines that are also "privileged".
alertTactics: Tactics
status: Available
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Privileged Machines Exposed to the Internet"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
tactics:
- Discovery
- Impact
kind: Scheduled
description: These are AWS Ec2 machines that are exposed to the internet. You can further filter by tags so that you can, for example, find exposed machines that are also "privileged".
triggerOperator: gt