New direct access policy was granted against organizational policy
| Id | d7ee7bb5-d712-4d44-b201-b13379924934 |
| Rulename | New direct access policy was granted against organizational policy |
| Description | This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps. |
| Severity | Low |
| Tactics | InitialAccess PrivilegeEscalation |
| Techniques | T1078 T1078 |
| Required data connectors | Authomize |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 30m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/New_direct_access_policy_was_granted.yaml |
| Version | 1.0.2 |
| Arm template | d7ee7bb5-d712-4d44-b201-b13379924934.json |
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "New direct access policy was granted against organizational policy"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "New direct access policy was granted against organizational policy"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
kind: Scheduled
incidentConfiguration:
createIncident: true
groupingConfiguration:
lookbackDuration: 5h
groupByAlertDetails: []
groupByEntities: []
matchingMethod: AnyAlert
enabled: true
groupByCustomDetails: []
reopenClosedIncident: false
triggerThreshold: 0
suppressionDuration: 5h
entityMappings:
- fieldMappings:
- columnName: URL
identifier: Url
entityType: URL
description: This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps.
eventGroupingSettings:
aggregationKind: SingleAlert
customDetails:
AuthomizeEventID: EventID
EventRecommendation: Recommendation
EventDescription: Description
ReferencedURL: URL
EventName: Policy
version: 1.0.2
id: d7ee7bb5-d712-4d44-b201-b13379924934
relevantTechniques:
- T1078
- T1078
queryPeriod: 30m
queryFrequency: 30m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/New_direct_access_policy_was_granted.yaml
tactics:
- InitialAccess
- PrivilegeEscalation
severity: Low
suppressionEnabled: false
status: Available
requiredDataConnectors:
- connectorId: Authomize
dataTypes:
- Authomize_v2_CL
name: New direct access policy was granted against organizational policy
alertDetailsOverride:
alertnameFormat: Alert from Authomize - New direct access policy was granted against organizational policy
alertDynamicProperties:
- value: URL
alertProperty: AlertLink
alertSeverity: Severity
alertDescriptionFormat: |
New direct access policy was granted against organizational policy. This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps.
alertTactics: Tactics
triggerOperator: gt