Privileged Machines Exposed to the Internet
| Id | 72891de4-da70-44e4-9984-35fcea98d000 |
| Rulename | Privileged Machines Exposed to the Internet |
| Description | These are AWS Ec2 machines that are exposed to the internet. You can further filter by tags so that you can, for example, find exposed machines that are also “privileged”. |
| Severity | High |
| Tactics | Discovery Impact |
| Techniques | T1580 |
| Required data connectors | Authomize |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 30m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/Privileged_Machines_Exposed_to_the_Internet.yaml |
| Version | 1.0.2 |
| Arm template | 72891de4-da70-44e4-9984-35fcea98d000.json |
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Privileged Machines Exposed to the Internet"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
name: Privileged Machines Exposed to the Internet
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
groupByCustomDetails: []
groupByAlertDetails: []
enabled: true
matchingMethod: AnyAlert
groupByEntities: []
lookbackDuration: 5h
createIncident: true
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Privileged Machines Exposed to the Internet"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
queryPeriod: 30m
triggerOperator: gt
suppressionEnabled: false
tactics:
- Discovery
- Impact
suppressionDuration: 5h
kind: Scheduled
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/Privileged_Machines_Exposed_to_the_Internet.yaml
eventGroupingSettings:
aggregationKind: SingleAlert
version: 1.0.2
alertDetailsOverride:
alertDynamicProperties:
- value: URL
alertProperty: AlertLink
alertDescriptionFormat: Privileged Machines Exposed to the Internet. These are AWS Ec2 machines that are exposed to the internet. You can further filter by tags so that you can, for example, find exposed machines that are also "privileged".
alertnameFormat: Alert from Authomize - Privileged Machines Exposed to the Internet
alertTactics: Tactics
alertSeverity: Severity
relevantTechniques:
- T1580
id: 72891de4-da70-44e4-9984-35fcea98d000
customDetails:
EventDescription: Description
EventName: Policy
EventRecommendation: Recommendation
AuthomizeEventID: EventID
ReferencedURL: URL
severity: High
requiredDataConnectors:
- connectorId: Authomize
dataTypes:
- Authomize_v2_CL
status: Available
description: These are AWS Ec2 machines that are exposed to the internet. You can further filter by tags so that you can, for example, find exposed machines that are also "privileged".
entityMappings:
- entityType: URL
fieldMappings:
- columnName: URL
identifier: Url
queryFrequency: 30m