New direct access policy was granted against organizational policy
Id | d7ee7bb5-d712-4d44-b201-b13379924934 |
Rulename | New direct access policy was granted against organizational policy |
Description | This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps. |
Severity | Low |
Tactics | InitialAccess PrivilegeEscalation |
Techniques | T1078 T1078 |
Required data connectors | Authomize |
Kind | Scheduled |
Query frequency | 30m |
Query period | 30m |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/New_direct_access_policy_was_granted.yaml |
Version | 1.0.2 |
Arm template | d7ee7bb5-d712-4d44-b201-b13379924934.json |
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "New direct access policy was granted against organizational policy"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
kind: Scheduled
triggerThreshold: 0
tactics:
- InitialAccess
- PrivilegeEscalation
id: d7ee7bb5-d712-4d44-b201-b13379924934
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "New direct access policy was granted against organizational policy"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
eventGroupingSettings:
aggregationKind: SingleAlert
requiredDataConnectors:
- dataTypes:
- Authomize_v2_CL
connectorId: Authomize
name: New direct access policy was granted against organizational policy
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: URL
status: Available
description: This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps.
severity: Low
alertDetailsOverride:
alertnameFormat: Alert from Authomize - New direct access policy was granted against organizational policy
alertTactics: Tactics
alertDynamicProperties:
- value: URL
alertProperty: AlertLink
alertDescriptionFormat: |
New direct access policy was granted against organizational policy. This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps.
alertSeverity: Severity
queryFrequency: 30m
suppressionEnabled: false
version: 1.0.2
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/New_direct_access_policy_was_granted.yaml
suppressionDuration: 5h
relevantTechniques:
- T1078
- T1078
incidentConfiguration:
createIncident: true
groupingConfiguration:
groupByAlertDetails: []
lookbackDuration: 5h
matchingMethod: AnyAlert
enabled: true
reopenClosedIncident: false
groupByCustomDetails: []
groupByEntities: []
customDetails:
EventName: Policy
EventRecommendation: Recommendation
ReferencedURL: URL
EventDescription: Description
AuthomizeEventID: EventID
queryPeriod: 30m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d7ee7bb5-d712-4d44-b201-b13379924934')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d7ee7bb5-d712-4d44-b201-b13379924934')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "New direct access policy was granted against organizational policy. This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps.\n",
"alertDynamicProperties": [
{
"alertProperty": "AlertLink",
"value": "URL"
}
],
"alertnameFormat": "Alert from Authomize - New direct access policy was granted against organizational policy",
"alertSeverity": "Severity",
"alertTactics": "Tactics"
},
"alertRuleTemplateName": "d7ee7bb5-d712-4d44-b201-b13379924934",
"customDetails": {
"AuthomizeEventID": "EventID",
"EventDescription": "Description",
"EventName": "Policy",
"EventRecommendation": "Recommendation",
"ReferencedURL": "URL"
},
"description": "This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps.",
"displayName": "New direct access policy was granted against organizational policy",
"enabled": true,
"entityMappings": [
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "URL",
"identifier": "Url"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"groupByAlertDetails": [],
"groupByCustomDetails": [],
"groupByEntities": [],
"lookbackDuration": "PT5H",
"matchingMethod": "AnyAlert",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/New_direct_access_policy_was_granted.yaml",
"query": "Authomize_v2_CL\n| where ingestion_time() >= ago(30m)\n| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s\n| where Policy has \"New direct access policy was granted against organizational policy\"\n| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics",
"queryFrequency": "PT30M",
"queryPeriod": "PT30M",
"severity": "Low",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess",
"PrivilegeEscalation"
],
"techniques": [
"T1078"
],
"templateVersion": "1.0.2",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}