New direct access policy was granted against organizational policy
Id | d7ee7bb5-d712-4d44-b201-b13379924934 |
Rulename | New direct access policy was granted against organizational policy |
Description | This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps. |
Severity | Low |
Tactics | InitialAccess PrivilegeEscalation |
Techniques | T1078 T1078 |
Required data connectors | Authomize |
Kind | Scheduled |
Query frequency | 30m |
Query period | 30m |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/New_direct_access_policy_was_granted.yaml |
Version | 1.0.2 |
Arm template | d7ee7bb5-d712-4d44-b201-b13379924934.json |
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "New direct access policy was granted against organizational policy"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
description: This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps.
status: Available
queryPeriod: 30m
suppressionDuration: 5h
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/New_direct_access_policy_was_granted.yaml
id: d7ee7bb5-d712-4d44-b201-b13379924934
kind: Scheduled
requiredDataConnectors:
- connectorId: Authomize
dataTypes:
- Authomize_v2_CL
tactics:
- InitialAccess
- PrivilegeEscalation
severity: Low
triggerOperator: gt
eventGroupingSettings:
aggregationKind: SingleAlert
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "New direct access policy was granted against organizational policy"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
incidentConfiguration:
groupingConfiguration:
lookbackDuration: 5h
reopenClosedIncident: false
groupByCustomDetails: []
groupByEntities: []
matchingMethod: AnyAlert
enabled: true
groupByAlertDetails: []
createIncident: true
name: New direct access policy was granted against organizational policy
queryFrequency: 30m
alertDetailsOverride:
alertTactics: Tactics
alertDescriptionFormat: |
New direct access policy was granted against organizational policy. This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps.
alertDynamicProperties:
- alertProperty: AlertLink
value: URL
alertSeverity: Severity
alertnameFormat: Alert from Authomize - New direct access policy was granted against organizational policy
suppressionEnabled: false
version: 1.0.2
relevantTechniques:
- T1078
- T1078
entityMappings:
- fieldMappings:
- columnName: URL
identifier: Url
entityType: URL
customDetails:
EventRecommendation: Recommendation
EventDescription: Description
AuthomizeEventID: EventID
EventName: Policy
ReferencedURL: URL
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d7ee7bb5-d712-4d44-b201-b13379924934')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d7ee7bb5-d712-4d44-b201-b13379924934')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "New direct access policy was granted against organizational policy. This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps.\n",
"alertDynamicProperties": [
{
"alertProperty": "AlertLink",
"value": "URL"
}
],
"alertnameFormat": "Alert from Authomize - New direct access policy was granted against organizational policy",
"alertSeverity": "Severity",
"alertTactics": "Tactics"
},
"alertRuleTemplateName": "d7ee7bb5-d712-4d44-b201-b13379924934",
"customDetails": {
"AuthomizeEventID": "EventID",
"EventDescription": "Description",
"EventName": "Policy",
"EventRecommendation": "Recommendation",
"ReferencedURL": "URL"
},
"description": "This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps.",
"displayName": "New direct access policy was granted against organizational policy",
"enabled": true,
"entityMappings": [
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "URL",
"identifier": "Url"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"groupByAlertDetails": [],
"groupByCustomDetails": [],
"groupByEntities": [],
"lookbackDuration": "PT5H",
"matchingMethod": "AnyAlert",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/New_direct_access_policy_was_granted.yaml",
"query": "Authomize_v2_CL\n| where ingestion_time() >= ago(30m)\n| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s\n| where Policy has \"New direct access policy was granted against organizational policy\"\n| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics",
"queryFrequency": "PT30M",
"queryPeriod": "PT30M",
"severity": "Low",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess",
"PrivilegeEscalation"
],
"techniques": [
"T1078"
],
"templateVersion": "1.0.2",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}