New direct access policy was granted against organizational policy
| Id | d7ee7bb5-d712-4d44-b201-b13379924934 |
| Rulename | New direct access policy was granted against organizational policy |
| Description | This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps. |
| Severity | Low |
| Tactics | InitialAccess PrivilegeEscalation |
| Techniques | T1078 T1078 |
| Required data connectors | Authomize |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 30m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/New_direct_access_policy_was_granted.yaml |
| Version | 1.0.2 |
| Arm template | d7ee7bb5-d712-4d44-b201-b13379924934.json |
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "New direct access policy was granted against organizational policy"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
name: New direct access policy was granted against organizational policy
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "New direct access policy was granted against organizational policy"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
queryFrequency: 30m
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
- Authomize_v2_CL
connectorId: Authomize
eventGroupingSettings:
aggregationKind: SingleAlert
alertDetailsOverride:
alertDynamicProperties:
- alertProperty: AlertLink
value: URL
alertTactics: Tactics
alertnameFormat: Alert from Authomize - New direct access policy was granted against organizational policy
alertDescriptionFormat: |
New direct access policy was granted against organizational policy. This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps.
alertSeverity: Severity
tactics:
- InitialAccess
- PrivilegeEscalation
status: Available
incidentConfiguration:
createIncident: true
groupingConfiguration:
matchingMethod: AnyAlert
lookbackDuration: 5h
groupByAlertDetails: []
reopenClosedIncident: false
enabled: true
groupByEntities: []
groupByCustomDetails: []
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: URL
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/New_direct_access_policy_was_granted.yaml
description: This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps.
version: 1.0.2
customDetails:
EventRecommendation: Recommendation
ReferencedURL: URL
AuthomizeEventID: EventID
EventDescription: Description
EventName: Policy
kind: Scheduled
suppressionEnabled: false
relevantTechniques:
- T1078
- T1078
suppressionDuration: 5h
severity: Low
id: d7ee7bb5-d712-4d44-b201-b13379924934
queryPeriod: 30m