Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Palo Alto Prisma Cloud - Access keys are not rotated for 90 days

Back
Id777d4993-31bb-4d45-b949-84f58e09fa2f
RulenamePalo Alto Prisma Cloud - Access keys are not rotated for 90 days
DescriptionDetects access keys which were not rotated for 90 days.
SeverityMedium
TacticsInitialAccess
TechniquesT1078
Required data connectorsPaloAltoPrismaCloud
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAclAccessKeysNotRotated.yaml
Version1.0.1
Arm template777d4993-31bb-4d45-b949-84f58e09fa2f.json
Deploy To Azure
PaloAltoPrismaCloud
| where Reason =~ 'NEW_ALERT'
| where Status =~ 'open'
| where AlertMessage has 'access keys are not rotated for 90 days'
| extend AccountCustomEntity = UserName
version: 1.0.1
name: Palo Alto Prisma Cloud - Access keys are not rotated for 90 days
severity: Medium
queryFrequency: 1d
kind: Scheduled
queryPeriod: 1d
description: |
    'Detects access keys which were not rotated for 90 days.'
query: |
  PaloAltoPrismaCloud
  | where Reason =~ 'NEW_ALERT'
  | where Status =~ 'open'
  | where AlertMessage has 'access keys are not rotated for 90 days'
  | extend AccountCustomEntity = UserName  
tactics:
- InitialAccess
triggerOperator: gt
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAclAccessKeysNotRotated.yaml
requiredDataConnectors:
- connectorId: PaloAltoPrismaCloud
  dataTypes:
  - PaloAltoPrismaCloud
status: Available
relevantTechniques:
- T1078
id: 777d4993-31bb-4d45-b949-84f58e09fa2f
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/777d4993-31bb-4d45-b949-84f58e09fa2f')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/777d4993-31bb-4d45-b949-84f58e09fa2f')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Palo Alto Prisma Cloud - Access keys are not rotated for 90 days",
        "description": "'Detects access keys which were not rotated for 90 days.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "PaloAltoPrismaCloud\n| where Reason =~ 'NEW_ALERT'\n| where Status =~ 'open'\n| where AlertMessage has 'access keys are not rotated for 90 days'\n| extend AccountCustomEntity = UserName\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1078"
        ],
        "alertRuleTemplateName": "777d4993-31bb-4d45-b949-84f58e09fa2f",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ],
            "entityType": "Account"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudAclAccessKeysNotRotated.yaml",
        "templateVersion": "1.0.1",
        "status": "Available"
      }
    }
  ]
}