Privileged Machines Exposed to the Internet
| Id | 72891de4-da70-44e4-9984-35fcea98d000 |
| Rulename | Privileged Machines Exposed to the Internet |
| Description | These are AWS Ec2 machines that are exposed to the internet. You can further filter by tags so that you can, for example, find exposed machines that are also “privileged”. |
| Severity | High |
| Tactics | Discovery Impact |
| Techniques | T1580 |
| Required data connectors | Authomize |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 30m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/Privileged_Machines_Exposed_to_the_Internet.yaml |
| Version | 1.0.2 |
| Arm template | 72891de4-da70-44e4-9984-35fcea98d000.json |
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Privileged Machines Exposed to the Internet"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
relevantTechniques:
- T1580
queryPeriod: 30m
triggerOperator: gt
eventGroupingSettings:
aggregationKind: SingleAlert
suppressionEnabled: false
suppressionDuration: 5h
description: These are AWS Ec2 machines that are exposed to the internet. You can further filter by tags so that you can, for example, find exposed machines that are also "privileged".
version: 1.0.2
tactics:
- Discovery
- Impact
severity: High
status: Available
triggerThreshold: 0
queryFrequency: 30m
alertDetailsOverride:
alertTactics: Tactics
alertDescriptionFormat: Privileged Machines Exposed to the Internet. These are AWS Ec2 machines that are exposed to the internet. You can further filter by tags so that you can, for example, find exposed machines that are also "privileged".
alertnameFormat: Alert from Authomize - Privileged Machines Exposed to the Internet
alertSeverity: Severity
alertDynamicProperties:
- alertProperty: AlertLink
value: URL
kind: Scheduled
incidentConfiguration:
createIncident: true
groupingConfiguration:
matchingMethod: AnyAlert
enabled: true
reopenClosedIncident: false
lookbackDuration: 5h
groupByAlertDetails: []
groupByEntities: []
groupByCustomDetails: []
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/Privileged_Machines_Exposed_to_the_Internet.yaml
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: URL
id: 72891de4-da70-44e4-9984-35fcea98d000
customDetails:
EventName: Policy
ReferencedURL: URL
AuthomizeEventID: EventID
EventDescription: Description
EventRecommendation: Recommendation
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Privileged Machines Exposed to the Internet"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
requiredDataConnectors:
- dataTypes:
- Authomize_v2_CL
connectorId: Authomize
name: Privileged Machines Exposed to the Internet