New direct access policy was granted against organizational policy
| Id | d7ee7bb5-d712-4d44-b201-b13379924934 |
| Rulename | New direct access policy was granted against organizational policy |
| Description | This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps. |
| Severity | Low |
| Tactics | InitialAccess PrivilegeEscalation |
| Techniques | T1078 T1078 |
| Required data connectors | Authomize |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 30m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/New_direct_access_policy_was_granted.yaml |
| Version | 1.0.2 |
| Arm template | d7ee7bb5-d712-4d44-b201-b13379924934.json |
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "New direct access policy was granted against organizational policy"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
entityMappings:
- fieldMappings:
- columnName: URL
identifier: Url
entityType: URL
triggerOperator: gt
tactics:
- InitialAccess
- PrivilegeEscalation
incidentConfiguration:
createIncident: true
groupingConfiguration:
reopenClosedIncident: false
enabled: true
lookbackDuration: 5h
groupByCustomDetails: []
matchingMethod: AnyAlert
groupByEntities: []
groupByAlertDetails: []
suppressionDuration: 5h
eventGroupingSettings:
aggregationKind: SingleAlert
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/New_direct_access_policy_was_granted.yaml
alertDetailsOverride:
alertDescriptionFormat: |
New direct access policy was granted against organizational policy. This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps.
alertTactics: Tactics
alertnameFormat: Alert from Authomize - New direct access policy was granted against organizational policy
alertSeverity: Severity
alertDynamicProperties:
- alertProperty: AlertLink
value: URL
version: 1.0.2
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "New direct access policy was granted against organizational policy"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
triggerThreshold: 0
relevantTechniques:
- T1078
- T1078
queryPeriod: 30m
status: Available
severity: Low
kind: Scheduled
customDetails:
ReferencedURL: URL
EventRecommendation: Recommendation
AuthomizeEventID: EventID
EventDescription: Description
EventName: Policy
name: New direct access policy was granted against organizational policy
queryFrequency: 30m
id: d7ee7bb5-d712-4d44-b201-b13379924934
description: This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps.
suppressionEnabled: false
requiredDataConnectors:
- dataTypes:
- Authomize_v2_CL
connectorId: Authomize