Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Palo Alto Prisma Cloud - Access keys are not rotated for 90 days

Back
Id777d4993-31bb-4d45-b949-84f58e09fa2f
RulenamePalo Alto Prisma Cloud - Access keys are not rotated for 90 days
DescriptionDetects access keys which were not rotated for 90 days.
SeverityMedium
TacticsInitialAccess
TechniquesT1078
Required data connectorsPaloAltoPrismaCloud
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAclAccessKeysNotRotated.yaml
Version1.0.1
Arm template777d4993-31bb-4d45-b949-84f58e09fa2f.json
Deploy To Azure
PaloAltoPrismaCloud
| where Reason =~ 'NEW_ALERT'
| where Status =~ 'open'
| where AlertMessage has 'access keys are not rotated for 90 days'
| extend AccountCustomEntity = UserName
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAclAccessKeysNotRotated.yaml
id: 777d4993-31bb-4d45-b949-84f58e09fa2f
name: Palo Alto Prisma Cloud - Access keys are not rotated for 90 days
query: |
  PaloAltoPrismaCloud
  | where Reason =~ 'NEW_ALERT'
  | where Status =~ 'open'
  | where AlertMessage has 'access keys are not rotated for 90 days'
  | extend AccountCustomEntity = UserName  
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
  entityType: Account
queryPeriod: 1d
triggerThreshold: 0
tactics:
- InitialAccess
version: 1.0.1
kind: Scheduled
relevantTechniques:
- T1078
queryFrequency: 1d
status: Available
requiredDataConnectors:
- dataTypes:
  - PaloAltoPrismaCloud
  connectorId: PaloAltoPrismaCloud
description: |
    'Detects access keys which were not rotated for 90 days.'
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/777d4993-31bb-4d45-b949-84f58e09fa2f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/777d4993-31bb-4d45-b949-84f58e09fa2f')]",
      "properties": {
        "alertRuleTemplateName": "777d4993-31bb-4d45-b949-84f58e09fa2f",
        "customDetails": null,
        "description": "'Detects access keys which were not rotated for 90 days.'\n",
        "displayName": "Palo Alto Prisma Cloud - Access keys are not rotated for 90 days",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAclAccessKeysNotRotated.yaml",
        "query": "PaloAltoPrismaCloud\n| where Reason =~ 'NEW_ALERT'\n| where Status =~ 'open'\n| where AlertMessage has 'access keys are not rotated for 90 days'\n| extend AccountCustomEntity = UserName\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}