New direct access policy was granted against organizational policy
| Id | d7ee7bb5-d712-4d44-b201-b13379924934 |
| Rulename | New direct access policy was granted against organizational policy |
| Description | This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps. |
| Severity | Low |
| Tactics | InitialAccess PrivilegeEscalation |
| Techniques | T1078 T1078 |
| Required data connectors | Authomize |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 30m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/New_direct_access_policy_was_granted.yaml |
| Version | 1.0.2 |
| Arm template | d7ee7bb5-d712-4d44-b201-b13379924934.json |
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "New direct access policy was granted against organizational policy"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
kind: Scheduled
requiredDataConnectors:
- connectorId: Authomize
dataTypes:
- Authomize_v2_CL
status: Available
triggerOperator: gt
version: 1.0.2
tactics:
- InitialAccess
- PrivilegeEscalation
queryPeriod: 30m
incidentConfiguration:
createIncident: true
groupingConfiguration:
reopenClosedIncident: false
enabled: true
matchingMethod: AnyAlert
groupByAlertDetails: []
groupByEntities: []
groupByCustomDetails: []
lookbackDuration: 5h
alertDetailsOverride:
alertDescriptionFormat: |
New direct access policy was granted against organizational policy. This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps.
alertnameFormat: Alert from Authomize - New direct access policy was granted against organizational policy
alertDynamicProperties:
- alertProperty: AlertLink
value: URL
alertSeverity: Severity
alertTactics: Tactics
queryFrequency: 30m
id: d7ee7bb5-d712-4d44-b201-b13379924934
eventGroupingSettings:
aggregationKind: SingleAlert
relevantTechniques:
- T1078
- T1078
description: This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps.
customDetails:
AuthomizeEventID: EventID
EventRecommendation: Recommendation
ReferencedURL: URL
EventName: Policy
EventDescription: Description
suppressionEnabled: false
entityMappings:
- entityType: URL
fieldMappings:
- columnName: URL
identifier: Url
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/New_direct_access_policy_was_granted.yaml
triggerThreshold: 0
name: New direct access policy was granted against organizational policy
severity: Low
suppressionDuration: 5h
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "New direct access policy was granted against organizational policy"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics