Privileged Machines Exposed to the Internet
| Id | 72891de4-da70-44e4-9984-35fcea98d000 |
| Rulename | Privileged Machines Exposed to the Internet |
| Description | These are AWS Ec2 machines that are exposed to the internet. You can further filter by tags so that you can, for example, find exposed machines that are also “privileged”. |
| Severity | High |
| Tactics | Discovery Impact |
| Techniques | T1580 |
| Required data connectors | Authomize |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 30m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/Privileged_Machines_Exposed_to_the_Internet.yaml |
| Version | 1.0.2 |
| Arm template | 72891de4-da70-44e4-9984-35fcea98d000.json |
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Privileged Machines Exposed to the Internet"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
tactics:
- Discovery
- Impact
triggerOperator: gt
requiredDataConnectors:
- connectorId: Authomize
dataTypes:
- Authomize_v2_CL
relevantTechniques:
- T1580
entityMappings:
- fieldMappings:
- identifier: Url
columnName: URL
entityType: URL
suppressionDuration: 5h
id: 72891de4-da70-44e4-9984-35fcea98d000
queryPeriod: 30m
name: Privileged Machines Exposed to the Internet
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/Privileged_Machines_Exposed_to_the_Internet.yaml
queryFrequency: 30m
description: These are AWS Ec2 machines that are exposed to the internet. You can further filter by tags so that you can, for example, find exposed machines that are also "privileged".
customDetails:
EventDescription: Description
AuthomizeEventID: EventID
EventRecommendation: Recommendation
ReferencedURL: URL
EventName: Policy
suppressionEnabled: false
version: 1.0.2
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Privileged Machines Exposed to the Internet"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
incidentConfiguration:
groupingConfiguration:
groupByAlertDetails: []
lookbackDuration: 5h
matchingMethod: AnyAlert
groupByEntities: []
groupByCustomDetails: []
reopenClosedIncident: false
enabled: true
createIncident: true
alertDetailsOverride:
alertnameFormat: Alert from Authomize - Privileged Machines Exposed to the Internet
alertDynamicProperties:
- alertProperty: AlertLink
value: URL
alertDescriptionFormat: Privileged Machines Exposed to the Internet. These are AWS Ec2 machines that are exposed to the internet. You can further filter by tags so that you can, for example, find exposed machines that are also "privileged".
alertTactics: Tactics
alertSeverity: Severity
triggerThreshold: 0
severity: High
status: Available
eventGroupingSettings:
aggregationKind: SingleAlert
kind: Scheduled