New direct access policy was granted against organizational policy
| Id | d7ee7bb5-d712-4d44-b201-b13379924934 |
| Rulename | New direct access policy was granted against organizational policy |
| Description | This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps. |
| Severity | Low |
| Tactics | InitialAccess PrivilegeEscalation |
| Techniques | T1078 T1078 |
| Required data connectors | Authomize |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 30m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/New_direct_access_policy_was_granted.yaml |
| Version | 1.0.2 |
| Arm template | d7ee7bb5-d712-4d44-b201-b13379924934.json |
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "New direct access policy was granted against organizational policy"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
name: New direct access policy was granted against organizational policy
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
groupByCustomDetails: []
groupByAlertDetails: []
enabled: true
matchingMethod: AnyAlert
groupByEntities: []
lookbackDuration: 5h
createIncident: true
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "New direct access policy was granted against organizational policy"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
queryPeriod: 30m
triggerOperator: gt
suppressionEnabled: false
tactics:
- InitialAccess
- PrivilegeEscalation
suppressionDuration: 5h
kind: Scheduled
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/New_direct_access_policy_was_granted.yaml
eventGroupingSettings:
aggregationKind: SingleAlert
version: 1.0.2
alertDetailsOverride:
alertDynamicProperties:
- value: URL
alertProperty: AlertLink
alertDescriptionFormat: |
New direct access policy was granted against organizational policy. This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps.
alertnameFormat: Alert from Authomize - New direct access policy was granted against organizational policy
alertTactics: Tactics
alertSeverity: Severity
relevantTechniques:
- T1078
- T1078
id: d7ee7bb5-d712-4d44-b201-b13379924934
customDetails:
EventDescription: Description
EventName: Policy
EventRecommendation: Recommendation
AuthomizeEventID: EventID
ReferencedURL: URL
severity: Low
requiredDataConnectors:
- connectorId: Authomize
dataTypes:
- Authomize_v2_CL
status: Available
description: This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps.
entityMappings:
- entityType: URL
fieldMappings:
- columnName: URL
identifier: Url
queryFrequency: 30m