New direct access policy was granted against organizational policy
| Id | d7ee7bb5-d712-4d44-b201-b13379924934 |
| Rulename | New direct access policy was granted against organizational policy |
| Description | This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps. |
| Severity | Low |
| Tactics | InitialAccess PrivilegeEscalation |
| Techniques | T1078 T1078 |
| Required data connectors | Authomize |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 30m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/New_direct_access_policy_was_granted.yaml |
| Version | 1.0.2 |
| Arm template | d7ee7bb5-d712-4d44-b201-b13379924934.json |
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "New direct access policy was granted against organizational policy"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
description: This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps.
entityMappings:
- fieldMappings:
- columnName: URL
identifier: Url
entityType: URL
kind: Scheduled
tactics:
- InitialAccess
- PrivilegeEscalation
severity: Low
triggerThreshold: 0
queryFrequency: 30m
status: Available
queryPeriod: 30m
relevantTechniques:
- T1078
- T1078
version: 1.0.2
suppressionEnabled: false
id: d7ee7bb5-d712-4d44-b201-b13379924934
name: New direct access policy was granted against organizational policy
incidentConfiguration:
createIncident: true
groupingConfiguration:
reopenClosedIncident: false
groupByCustomDetails: []
enabled: true
matchingMethod: AnyAlert
groupByAlertDetails: []
groupByEntities: []
lookbackDuration: 5h
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "New direct access policy was granted against organizational policy"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
triggerOperator: gt
customDetails:
EventRecommendation: Recommendation
ReferencedURL: URL
EventName: Policy
EventDescription: Description
AuthomizeEventID: EventID
suppressionDuration: 5h
eventGroupingSettings:
aggregationKind: SingleAlert
alertDetailsOverride:
alertTactics: Tactics
alertSeverity: Severity
alertnameFormat: Alert from Authomize - New direct access policy was granted against organizational policy
alertDynamicProperties:
- value: URL
alertProperty: AlertLink
alertDescriptionFormat: |
New direct access policy was granted against organizational policy. This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps.
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/New_direct_access_policy_was_granted.yaml
requiredDataConnectors:
- dataTypes:
- Authomize_v2_CL
connectorId: Authomize