Palo Alto Prisma Cloud - Access keys are not rotated for 90 days

Back


Id	777d4993-31bb-4d45-b949-84f58e09fa2f
Rulename	Palo Alto Prisma Cloud - Access keys are not rotated for 90 days
Description	Detects access keys which were not rotated for 90 days.
Severity	Medium
Tactics	InitialAccess
Techniques	T1078
Required data connectors	PaloAltoPrismaCloud
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAclAccessKeysNotRotated.yaml
Version	1.0.0
Arm template	777d4993-31bb-4d45-b949-84f58e09fa2f.json

KQL

PaloAltoPrismaCloud
| where Reason =~ 'NEW_ALERT'
| where Status =~ 'open'
| where AlertMessage has 'access keys are not rotated for 90 days'
| extend AccountCustomEntity = UserName

YAML

name: Palo Alto Prisma Cloud - Access keys are not rotated for 90 days
query: |
  PaloAltoPrismaCloud
  | where Reason =~ 'NEW_ALERT'
  | where Status =~ 'open'
  | where AlertMessage has 'access keys are not rotated for 90 days'
  | extend AccountCustomEntity = UserName  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAclAccessKeysNotRotated.yaml
queryFrequency: 1d
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - PaloAltoPrismaCloud
  connectorId: PaloAltoPrismaCloud
version: 1.0.0
queryPeriod: 1d
id: 777d4993-31bb-4d45-b949-84f58e09fa2f
triggerOperator: gt
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
relevantTechniques:
- T1078
severity: Medium
description: |
    'Detects access keys which were not rotated for 90 days.'
kind: Scheduled
tactics:
- InitialAccess

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/777d4993-31bb-4d45-b949-84f58e09fa2f')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/777d4993-31bb-4d45-b949-84f58e09fa2f')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Palo Alto Prisma Cloud - Access keys are not rotated for 90 days",
        "description": "'Detects access keys which were not rotated for 90 days.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "PaloAltoPrismaCloud\n| where Reason =~ 'NEW_ALERT'\n| where Status =~ 'open'\n| where AlertMessage has 'access keys are not rotated for 90 days'\n| extend AccountCustomEntity = UserName\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1078"
        ],
        "alertRuleTemplateName": "777d4993-31bb-4d45-b949-84f58e09fa2f",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "Name",
                "columnName": "AccountCustomEntity"
              }
            ],
            "entityType": "Account"
          }
        ],
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAclAccessKeysNotRotated.yaml"
      }
    }
  ]
}