IaaS admin detected

Back


Id	dc728ba1-5204-4fde-ab48-eda19c8fad3a
Rulename	IaaS admin detected
Description	The policy detects admin users in AWS or Azure.
Severity	Medium
Tactics	InitialAccess
Techniques	T1078
Required data connectors	Authomize
Kind	Scheduled
Query frequency	30m
Query period	30m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/IaaS_admin_detected.yaml
Version	1.0.2
Arm template	dc728ba1-5204-4fde-ab48-eda19c8fad3a.json

KQL

Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "IaaS admin detected"
| project  EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics

YAML

triggerThreshold: 0
description: The policy detects admin users in AWS or Azure.
suppressionDuration: 5h
severity: Medium
alertDetailsOverride:
  alertnameFormat: Alert from Authomize - IaaS admin detected
  alertDescriptionFormat: |
        IaaS admin detected. The policy detects admin users in AWS or Azure
  alertSeverity: Severity
  alertDynamicProperties:
  - value: URL
    alertProperty: AlertLink
  alertTactics: Tactics
eventGroupingSettings:
  aggregationKind: SingleAlert
version: 1.0.2
query: |-
  Authomize_v2_CL
  | where ingestion_time() >= ago(30m)
  | extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
  | where Policy has "IaaS admin detected"
  | project  EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics  
tactics:
- InitialAccess
entityMappings:
- fieldMappings:
  - identifier: Url
    columnName: URL
  entityType: URL
queryPeriod: 30m
suppressionEnabled: false
requiredDataConnectors:
- dataTypes:
  - Authomize_v2_CL
  connectorId: Authomize
customDetails:
  EventDescription: Description
  AuthomizeEventID: EventID
  EventName: Policy
  ReferencedURL: URL
  EventRecommendation: Recommendation
relevantTechniques:
- T1078
queryFrequency: 30m
id: dc728ba1-5204-4fde-ab48-eda19c8fad3a
triggerOperator: gt
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: 5h
    groupByAlertDetails: []
    reopenClosedIncident: false
    matchingMethod: AnyAlert
    groupByCustomDetails: []
    groupByEntities: []
    enabled: true
  createIncident: true
kind: Scheduled
name: IaaS admin detected
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/IaaS_admin_detected.yaml

ARM