New direct access policy was granted against organizational policy
| Id | d7ee7bb5-d712-4d44-b201-b13379924934 |
| Rulename | New direct access policy was granted against organizational policy |
| Description | This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps. |
| Severity | Low |
| Tactics | InitialAccess PrivilegeEscalation |
| Techniques | T1078 T1078 |
| Required data connectors | Authomize |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 30m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/New_direct_access_policy_was_granted.yaml |
| Version | 1.0.2 |
| Arm template | d7ee7bb5-d712-4d44-b201-b13379924934.json |
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "New direct access policy was granted against organizational policy"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
version: 1.0.2
alertDetailsOverride:
alertDescriptionFormat: |
New direct access policy was granted against organizational policy. This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps.
alertSeverity: Severity
alertTactics: Tactics
alertDynamicProperties:
- value: URL
alertProperty: AlertLink
alertnameFormat: Alert from Authomize - New direct access policy was granted against organizational policy
entityMappings:
- entityType: URL
fieldMappings:
- columnName: URL
identifier: Url
customDetails:
EventDescription: Description
EventRecommendation: Recommendation
EventName: Policy
AuthomizeEventID: EventID
ReferencedURL: URL
incidentConfiguration:
groupingConfiguration:
groupByAlertDetails: []
matchingMethod: AnyAlert
groupByCustomDetails: []
reopenClosedIncident: false
groupByEntities: []
lookbackDuration: 5h
enabled: true
createIncident: true
queryPeriod: 30m
severity: Low
triggerOperator: gt
relevantTechniques:
- T1078
- T1078
id: d7ee7bb5-d712-4d44-b201-b13379924934
eventGroupingSettings:
aggregationKind: SingleAlert
queryFrequency: 30m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/New_direct_access_policy_was_granted.yaml
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "New direct access policy was granted against organizational policy"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
requiredDataConnectors:
- connectorId: Authomize
dataTypes:
- Authomize_v2_CL
suppressionDuration: 5h
suppressionEnabled: false
kind: Scheduled
tactics:
- InitialAccess
- PrivilegeEscalation
triggerThreshold: 0
status: Available
description: This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps.
name: New direct access policy was granted against organizational policy