Privileged Machines Exposed to the Internet
| Id | 72891de4-da70-44e4-9984-35fcea98d000 |
| Rulename | Privileged Machines Exposed to the Internet |
| Description | These are AWS Ec2 machines that are exposed to the internet. You can further filter by tags so that you can, for example, find exposed machines that are also “privileged”. |
| Severity | High |
| Tactics | Discovery Impact |
| Techniques | T1580 |
| Required data connectors | Authomize |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 30m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/Privileged_Machines_Exposed_to_the_Internet.yaml |
| Version | 1.0.2 |
| Arm template | 72891de4-da70-44e4-9984-35fcea98d000.json |
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Privileged Machines Exposed to the Internet"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/Privileged_Machines_Exposed_to_the_Internet.yaml
queryPeriod: 30m
description: These are AWS Ec2 machines that are exposed to the internet. You can further filter by tags so that you can, for example, find exposed machines that are also "privileged".
triggerThreshold: 0
name: Privileged Machines Exposed to the Internet
triggerOperator: gt
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: URL
kind: Scheduled
requiredDataConnectors:
- connectorId: Authomize
dataTypes:
- Authomize_v2_CL
customDetails:
ReferencedURL: URL
EventRecommendation: Recommendation
AuthomizeEventID: EventID
EventDescription: Description
EventName: Policy
eventGroupingSettings:
aggregationKind: SingleAlert
suppressionDuration: 5h
suppressionEnabled: false
queryFrequency: 30m
incidentConfiguration:
createIncident: true
groupingConfiguration:
lookbackDuration: 5h
matchingMethod: AnyAlert
enabled: true
groupByCustomDetails: []
groupByEntities: []
reopenClosedIncident: false
groupByAlertDetails: []
tactics:
- Discovery
- Impact
id: 72891de4-da70-44e4-9984-35fcea98d000
status: Available
version: 1.0.2
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Privileged Machines Exposed to the Internet"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
alertDetailsOverride:
alertnameFormat: Alert from Authomize - Privileged Machines Exposed to the Internet
alertDescriptionFormat: Privileged Machines Exposed to the Internet. These are AWS Ec2 machines that are exposed to the internet. You can further filter by tags so that you can, for example, find exposed machines that are also "privileged".
alertSeverity: Severity
alertDynamicProperties:
- alertProperty: AlertLink
value: URL
alertTactics: Tactics
severity: High
relevantTechniques:
- T1580