Palo Alto Prisma Cloud - IAM Group with Administrator Access Permissions

Back


Id	ac76d9c0-17a3-4aaa-a341-48f4c0b1c882
Rulename	Palo Alto Prisma Cloud - IAM Group with Administrator Access Permissions
Description	Detects IAM Groups with Administrator Access Permissions.
Severity	Medium
Tactics	InitialAccess
Techniques	T1078
Required data connectors	PaloAltoPrismaCloud
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudIamAdminGroup.yaml
Version	1.0.1
Arm template	ac76d9c0-17a3-4aaa-a341-48f4c0b1c882.json

KQL

PaloAltoPrismaCloud
| where Reason =~ 'NEW_ALERT'
| where Status =~ 'open'
| where AlertMessage has 'IAM Groups with Administrator Access Permissions'
| extend AccountCustomEntity = UserName

YAML

query: |
  PaloAltoPrismaCloud
  | where Reason =~ 'NEW_ALERT'
  | where Status =~ 'open'
  | where AlertMessage has 'IAM Groups with Administrator Access Permissions'
  | extend AccountCustomEntity = UserName  
queryPeriod: 1h
queryFrequency: 1h
status: Available
id: ac76d9c0-17a3-4aaa-a341-48f4c0b1c882
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
relevantTechniques:
- T1078
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudIamAdminGroup.yaml
requiredDataConnectors:
- connectorId: PaloAltoPrismaCloud
  dataTypes:
  - PaloAltoPrismaCloud
name: Palo Alto Prisma Cloud - IAM Group with Administrator Access Permissions
description: |
    'Detects IAM Groups with Administrator Access Permissions.'
tactics:
- InitialAccess
severity: Medium
triggerThreshold: 0
version: 1.0.1
kind: Scheduled
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ac76d9c0-17a3-4aaa-a341-48f4c0b1c882')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ac76d9c0-17a3-4aaa-a341-48f4c0b1c882')]",
      "properties": {
        "alertRuleTemplateName": "ac76d9c0-17a3-4aaa-a341-48f4c0b1c882",
        "customDetails": null,
        "description": "'Detects IAM Groups with Administrator Access Permissions.'\n",
        "displayName": "Palo Alto Prisma Cloud - IAM Group with Administrator Access Permissions",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PaloAltoPrismaCloud/Analytic Rules/PaloAltoPrismaCloudIamAdminGroup.yaml",
        "query": "PaloAltoPrismaCloud\n| where Reason =~ 'NEW_ALERT'\n| where Status =~ 'open'\n| where AlertMessage has 'IAM Groups with Administrator Access Permissions'\n| extend AccountCustomEntity = UserName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}