Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Initial Branch from old Closed PR #7696 

This is the NEW AUHOMIZE Solution
Files modified:
	modified:   .script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
	modified:   Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
Files added:
	.script/tests/KqlvalidationsTests/CustomTables/Authomize_v2_CL.json
	Logos/Authomize.svg
	Sample Data/Authomize_v2_CL.csv
	Solutions/Authomize/Analytic Rules/
	Solutions/Authomize/Data Connectors/
	Solutions/Authomize/Data/
	Solutions/Authomize/Hunting queries/
	Solutions/Authomize/Package/
	Solutions/Authomize/SolutionMetadata.json
	Solutions/Authomize/Workbooks/
	Workbooks/Images/Logos/authomize.svg
This commit is contained in:
Steve Riley 2023-07-21 16:39:21 -06:00
Родитель b5ca4c3504
Коммит e9cc14dff6
47 изменённых файлов: 20742 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

126
.script/tests/KqlvalidationsTests/CustomTables/Authomize_v2_CL.json Normal file
Просмотреть файл

@ -0,0 +1,126 @@
{
"Name": "Authomize_v2_CL",
"Properties": [
{
"name": "TimeGenerated",
"type": "Datetime"
},
{
"Name": "app_s",
"Type": "String"
},
{
"Name": "assigneeId_s",
"Type": "String"
},
{
"Name": "availability_Value_d",
"Type": "Real"
},
{
"Name": "Category",
"Type": "String"
},
{
"Name": "compliance_s",
"Type": "String"
},
{
"Name": "createdAt_t",
"Type": "Datetime"
},
{
"Name": "critical_Threshold_d",
"Type": "Real"
},
{
"Name": "description_s",
"Type": "String"
},
{
"Name": "duration_d",
"Type": "Real"
},
{
"Name": "entities_s",
"Type": "String"
},
{
"Name": "ID_g",
"Type": "Guid"
},
{
"Name": "id_s",
"Type": "String"
},
{
"Name": "IsActive_s",
"Type": "String"
},
{
"Name": "isResolved_b",
"Type": "Boolean"
},
{
"Name": "measurement_Name_s",
"Type": "String"
},
{
"Name": "performance_Value_d",
"Type": "Real"
},
{
"Name": "policy_id_s",
"Type": "String"
},
{
"Name": "policy_name_s",
"Type": "String"
},
{
"Name": "policy_templateId_s",
"Type": "String"
},
{
"Name": "policyId_s",
"Type": "String"
},
{
"Name": "recommendation_s",
"Type": "String"
},
{
"Name": "severity_s",
"Type": "String"
},
{
"Name": "slot_ID_d",
"Type": "Real"
},
{
"Name": "status_s",
"Type": "String"
},
{
"Name": "tactics_s",
"Type": "String"
},
{
"Name": "techniques_s",
"Type": "String"
},
{
"Name": "updatedAt_t",
"Type": "Datetime"
},
{
"Name": "url_s",
"Type": "String"
},
{
"Name": "warning_Threshold_d",
"Type": "Real"
}
]
}

1
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Просмотреть файл

@ -192,5 +192,6 @@
"DynatraceAttacks",
"DynatraceAuditLogs",
"DynatraceProblems",
"Authomize",
"MicrosoftDefenderThreatIntelligence"
]

12
Logos/Authomize.svg Normal file
Просмотреть файл

@ -0,0 +1,12 @@
<svg width="703" height="777" viewBox="0 0 703 777" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M453.93 214.126H375.274C374.1 218.141 372.045 221.869 369.404 224.737L423.7 316.227C424.581 316.227 425.755 315.94 426.635 315.94C437.495 315.94 446.299 324.544 446.299 335.156C446.299 339.745 444.832 343.76 441.897 347.202L502.944 449.876C505.879 449.016 509.107 448.442 512.335 448.442C515.27 448.442 518.205 449.016 521.14 449.59L557.24 388.501L453.93 214.126Z" fill="#1BC263"/>
<path d="M357.667 29.1384L256.411 199.785H328.024C331.546 190.321 340.644 183.724 351.21 183.724C362.069 183.724 371.167 190.321 374.396 199.785H659.965L357.667 29.1384Z" fill="#1BC263"/>
<path d="M411.957 348.062L254.645 404.275C254.351 414.6 245.546 423.204 234.981 423.204C234.1 423.204 232.926 423.204 232.046 422.917L205.925 467.371C208.273 470.526 209.447 474.541 209.447 478.557C209.447 483.145 207.979 487.161 205.338 490.602L248.481 563.163H454.514L491.494 500.354C485.624 494.904 481.808 487.161 481.808 478.27C481.808 469.953 485.33 462.209 490.907 456.76L429.86 353.798C428.98 353.798 427.806 354.085 426.925 354.085C421.055 354.372 415.772 352.077 411.957 348.062Z" fill="#1BC263"/>
<path d="M327.44 214.126H247.904L144.3 388.214L186.27 458.767C187.15 458.767 187.737 458.767 188.618 458.767C190.379 458.767 192.14 459.054 193.901 459.341L219.435 416.034C216.793 412.592 215.032 408.577 215.032 403.988C215.032 393.377 223.837 384.772 234.696 384.772C235.577 384.772 236.751 384.772 237.631 385.059L332.43 224.164C330.082 221.009 328.321 217.567 327.44 214.126Z" fill="#1BC263"/>
<path d="M344.76 231.335L251.136 390.51L407.274 334.87C407.274 330.568 409.035 326.553 411.677 323.398L357.381 231.909C355.62 232.195 353.565 232.482 351.804 232.482C349.163 232.195 346.815 231.909 344.76 231.335Z" fill="#1BC263"/>
<path d="M672.87 214.126H470.653L672.87 554.846V214.126Z" fill="#1BC263"/>
<path d="M565.752 402.555L533.761 456.761C539.631 462.21 543.447 469.954 543.447 478.844C543.447 495.479 529.652 509.245 512.336 509.245C509.401 509.245 506.466 508.672 503.532 508.098L364.709 743.848L666.714 573.489L565.752 402.555Z" fill="#1BC263"/>
<path d="M338.876 32.8677L35.1108 204.088L136.072 374.161L338.876 32.8677Z" fill="#1BC263"/>
<path d="M43.6279 577.503L345.632 747.862L446.007 577.503H43.6279Z" fill="#1BC263"/>
<path d="M30.1284 223.59V563.162H231.758L193.017 498.345C191.55 498.632 190.082 498.919 188.615 498.919C177.168 498.919 168.07 489.741 168.07 478.843C168.07 473.68 170.125 468.805 173.353 465.363L30.1284 223.59Z" fill="#1BC263"/>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 2.5 KiB

13888
Sample Data/Authomize_v2_CL.csv Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

59
Solutions/Authomize/Analytic Rules/AWS_role_with_admin_privileges.yaml Normal file
Просмотреть файл

@ -0,0 +1,59 @@
id: 734c00a0-a95b-44dd-9b69-d926ed44256d
name: AWS role with admin privileges
kind: Scheduled
description: The policy detects the creation of new AWS roles with administrative privileges. The policy configuration allows limiting the policy to specific accounts.
severity: High
status: Available
queryFrequency: 30m
queryPeriod: 30m
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1078
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "AWS role with admin privileges"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
requiredDataConnectors:
- connectorId: Authomize
dataTypes: [ "Authomize_v2_CL" ]
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: AnyAlert
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
eventGroupingSettings:
aggregationKind: SingleAlert
alertDetailsOverride:
alertnameFormat: Alert from Authomize - AWS role with admin privileges
alertDescriptionFormat: AWS role with admin privileges. The policy detects the creation of new AWS roles with administrative privileges. The policy configuration allows limiting the policy to specific accounts.
alertSeverity: Severity
alertTactics: Tactics
alertDynamicProperties:
- alertProperty: AlertLink
value: URL
customDetails:
AuthomizeEventID: EventID
EventName: Policy
EventDescription: Description
EventRecommendation: Recommendation
ReferencedURL: URL
suppressionDuration: 5h
suppressionEnabled: false
version: 1.0.0
metadata:
source:
kind: Authomize
author:
name: Steven Riley
support:
tier: support@authomize.com

60
Solutions/Authomize/Analytic Rules/AWS_role_with_shadow_admin_privileges.yaml Normal file
Просмотреть файл

@ -0,0 +1,60 @@
id: 2526079b-3355-4756-a2d1-21e9cd957261
name: AWS role with shadow admin privileges
kind: Scheduled
description: The policy detect the creation of new AWS roles with shadow admin privileges. The policy configuration allows limiting the policy to specific accounts.
severity: High
status: Available
queryFrequency: 30m
queryPeriod: 30m
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1078
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "AWS role with shadow admin privileges"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
requiredDataConnectors:
- connectorId: Authomize
dataTypes: [ "Authomize_v2_CL" ]
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: AnyAlert
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
eventGroupingSettings:
aggregationKind: SingleAlert
alertDetailsOverride:
alertnameFormat: Alert from Authomize - AWS role with shadow admin privileges
alertDescriptionFormat: |
IaaS shadow admin detected. The policy detect the creation of new AWS roles with shadow admin privileges. The policy configuration allows limiting the policy to specific accounts.
alertSeverity: Severity
alertTactics: Tactics
alertDynamicProperties:
- alertProperty: AlertLink
value: URL
customDetails:
AuthomizeEventID: EventID
EventName: Policy
EventDescription: Description
EventRecommendation: Recommendation
ReferencedURL: URL
suppressionDuration: 5h
suppressionEnabled: false
version: 1.0.0
metadata:
source:
kind: Authomize
author:
name: Steven Riley
support:
tier: support@authomize.com

60
Solutions/Authomize/Analytic Rules/Access_to_AWS_without_MFA.yaml Normal file
Просмотреть файл

@ -0,0 +1,60 @@
id: 48a9478b-440a-4330-b42c-94bd84dc904c
name: Access to AWS without MFA
kind: Scheduled
description: This detects users with access to AWS (IAM or Federated via Okta) without enabled MFA. This is a default definition by Authomize and can be updated using the edit modal.
severity: Medium
status: Available
queryFrequency: 30m
queryPeriod: 30m
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1078
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Access to AWS without MFA"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
requiredDataConnectors:
- connectorId: Authomize
dataTypes: [ "Authomize_v2_CL" ]
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: AnyAlert
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
eventGroupingSettings:
aggregationKind: SingleAlert
alertDetailsOverride:
alertnameFormat: Alert from Authomize - Access to AWS without MFA
alertDescriptionFormat: |
Refactor AWS policy based on activities in the last 60 days. This is a recommended update to IAM policy on AWS. Review the policy and apply it according to change control process. Authomize will have a recommended policy to be downloaded. See the URL for further details within the event details in your Authomize Tenant.
alertSeverity: Severity
alertTactics: Tactics
alertDynamicProperties:
- alertProperty: AlertLink
value: URL
customDetails:
AuthomizeEventID: EventID
EventName: Policy
EventDescription: Description
EventRecommendation: Recommendation
ReferencedURL: URL
suppressionDuration: 5h
suppressionEnabled: false
version: 1.0.0
metadata:
source:
kind: Authomize
author:
name: Steven Riley
support:
tier: support@authomize.com

61
Solutions/Authomize/Analytic Rules/Admin_SaaS_account_detected.yaml Normal file
Просмотреть файл

@ -0,0 +1,61 @@
id: 87419138-d75f-450d-aca4-1dc802e32540
name: Admin SaaS account detected
kind: Scheduled
description: The rule detects internal admins accounts, it's recommended to review any new administrative permission.
severity: Low
status: Available
queryFrequency: 30m
queryPeriod: 30m
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
- PrivilegeEscalation
relevantTechniques:
- T1078
- T1078
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Admin SaaS account detected"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
requiredDataConnectors:
- connectorId: Authomize
dataTypes: [ "Authomize_v2_CL" ]
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: AnyAlert
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
eventGroupingSettings:
aggregationKind: SingleAlert
alertDetailsOverride:
alertnameFormat: Alert from Authomize - Admin SaaS account detected
alertDescriptionFormat: Admin SaaS account detected. The policy detects internal admins accounts, it's recommended to review any new administrative permission.
alertSeverity: Severity
alertTactics: Tactics
alertDynamicProperties:
- alertProperty: AlertLink
value: URL
customDetails:
AuthomizeEventID: EventID
EventName: Policy
EventDescription: Description
EventRecommendation: Recommendation
ReferencedURL: URL
suppressionDuration: 5h
suppressionEnabled: false
version: 1.0.0
metadata:
source:
kind: Authomize
author:
name: Steven Riley
support:
tier: support@authomize.com

60
Solutions/Authomize/Analytic Rules/Admin_password_wasnt_updated.yaml Normal file
Просмотреть файл

@ -0,0 +1,60 @@
id: 63d87fcb-d197-48d2-a642-de4813f0219a
name: Admin password not updated in 30 days
kind: Scheduled
description: The policy detects an administrative account where the password of the account was not updated in the last 30 days.
severity: Medium
status: Available
queryFrequency: 30m
queryPeriod: 30m
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1078
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Admin password wasn't updated during the last 30 days"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
requiredDataConnectors:
- connectorId: Authomize
dataTypes: [ "Authomize_v2_CL" ]
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: AnyAlert
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
eventGroupingSettings:
aggregationKind: SingleAlert
alertDetailsOverride:
alertnameFormat: Alert from Authomize - Admin password wasn't updated during the last 30 days
alertDescriptionFormat: |
Admin password wasn't updated during the last 30 days. The policy detects admin account where password wasn't updated during the last 30 days.
alertSeverity: Severity
alertTactics: Tactics
alertDynamicProperties:
- alertProperty: AlertLink
value: URL
customDetails:
AuthomizeEventID: EventID
EventName: Policy
EventDescription: Description
EventRecommendation: Recommendation
ReferencedURL: URL
suppressionDuration: 5h
suppressionEnabled: false
version: 1.0.0
metadata:
source:
kind: Authomize
author:
name: Steven Riley
support:
tier: support@authomize.com

57
Solutions/Authomize/Analytic Rules/Chain_of_3_or_more_roles.yaml Normal file
Просмотреть файл

@ -0,0 +1,57 @@
id: 25bef734-4399-4c55-9579-4ebabd9cccf6
name: Lateral Movement Risk - Role Chain Length
kind: Scheduled
description: The policy detects chains of more than 3 roles in the account, this is a misconfiguration that can enable lateral movement.
severity: Informational
status: Available
queryFrequency: 30m
queryPeriod: 30m
triggerOperator: gt
triggerThreshold: 0
tactics:
- PrivilegeEscalation
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Chain of 3 or more roles"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
requiredDataConnectors:
- connectorId: Authomize
dataTypes: [ "Authomize_v2_CL" ]
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: AnyAlert
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
eventGroupingSettings:
aggregationKind: SingleAlert
alertDetailsOverride:
alertnameFormat: Alert from Authomize - Account can elevate privileges by assuming a role
alertDescriptionFormat: Account can elevate privileges by assuming a role. The policy detects chains of more than 3 roles in the account, this is a misconfiguration that can enable lateral movement.
alertSeverity: Severity
alertTactics: Tactics
alertDynamicProperties:
- alertProperty: AlertLink
value: URL
customDetails:
AuthomizeEventID: EventID
EventName: Policy
EventDescription: Description
EventRecommendation: Recommendation
ReferencedURL: URL
suppressionDuration: 5h
suppressionEnabled: false
version: 1.0.0
metadata:
source:
kind: Authomize
author:
name: Steven Riley
support:
tier: support@authomize.com

59
Solutions/Authomize/Analytic Rules/Detect_AWS_IAM_Users.yaml Normal file
Просмотреть файл

@ -0,0 +1,59 @@
id: 077eb06a-c011-47f7-8d92-dfc2b1e1d71b
name: Detect AWS IAM Users
kind: Scheduled
description: The policy detects IAM users across your AWS accounts, a practice that should be kept only for a small number of accounts. This is a default definition by Authomize and can be updated using the edit modal.
severity: High
status: Available
queryFrequency: 30m
queryPeriod: 30m
triggerOperator: gt
triggerThreshold: 0
tactics:
- PrivilegeEscalation
relevantTechniques:
- T1078
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Detect AWS IAM Users"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
requiredDataConnectors:
- connectorId: Authomize
dataTypes: [ "Authomize_v2_CL" ]
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: AnyAlert
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
eventGroupingSettings:
aggregationKind: SingleAlert
alertDetailsOverride:
alertnameFormat: Alert from Authomize - Detect AWS IAM Users
alertDescriptionFormat: Detect AWS IAM Users. The policy detects IAM users across your AWS accounts, a practice that should be kept only for a small number of accounts. This is a default definition by Authomize and can be updated using the edit modal.
alertSeverity: Severity
alertTactics: Tactics
alertDynamicProperties:
- alertProperty: AlertLink
value: URL
customDetails:
AuthomizeEventID: EventID
EventName: Policy
EventDescription: Description
EventRecommendation: Recommendation
ReferencedURL: URL
suppressionDuration: 5h
suppressionEnabled: false
version: 1.0.0
metadata:
source:
kind: Authomize
author:
name: Steven Riley
support:
tier: support@authomize.com

57
Solutions/Authomize/Analytic Rules/Empty_group_with_entitlements.yaml Normal file
Просмотреть файл

@ -0,0 +1,57 @@
id: c4d442a8-8227-4735-ac13-d84704e1b371
name: Empty group with entitlements
kind: Scheduled
description: The rule detects empty groups with entitlements.
severity: Informational
status: Available
queryFrequency: 30m
queryPeriod: 30m
triggerOperator: gt
triggerThreshold: 0
tactics:
- PrivilegeEscalation
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Empty group with entitlements"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
requiredDataConnectors:
- connectorId: Authomize
dataTypes: [ "Authomize_v2_CL" ]
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: AnyAlert
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
eventGroupingSettings:
aggregationKind: SingleAlert
alertDetailsOverride:
alertnameFormat: Alert from Authomize - Empty group with entitlements
alertDescriptionFormat: Empty group with entitlements. The policy detects empty groups with entitlements
alertSeverity: Severity
alertTactics: Tactics
alertDynamicProperties:
- alertProperty: AlertLink
value: URL
customDetails:
AuthomizeEventID: EventID
EventName: Policy
EventDescription: Description
EventRecommendation: Recommendation
ReferencedURL: URL
suppressionDuration: 5h
suppressionEnabled: false
version: 1.0.0
metadata:
source:
kind: Authomize
author:
name: Steven Riley
support:
tier: support@authomize.com

60
Solutions/Authomize/Analytic Rules/IaaS_admin_detected.yaml Normal file
Просмотреть файл

@ -0,0 +1,60 @@
id: dc728ba1-5204-4fde-ab48-eda19c8fad3a
name: IaaS admin detected
kind: Scheduled
description: The policy detects admin users in AWS or Azure.
severity: Medium
status: Available
queryFrequency: 30m
queryPeriod: 30m
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1078
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "IaaS admin detected"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
requiredDataConnectors:
- connectorId: Authomize
dataTypes: [ "Authomize_v2_CL" ]
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: AnyAlert
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
eventGroupingSettings:
aggregationKind: SingleAlert
alertDetailsOverride:
alertnameFormat: Alert from Authomize - IaaS admin detected
alertDescriptionFormat: |
IaaS admin detected. The policy detects admin users in AWS or Azure
alertSeverity: Severity
alertTactics: Tactics
alertDynamicProperties:
- alertProperty: AlertLink
value: URL
customDetails:
AuthomizeEventID: EventID
EventName: Policy
EventDescription: Description
EventRecommendation: Recommendation
ReferencedURL: URL
suppressionDuration: 5h
suppressionEnabled: false
version: 1.0.0
metadata:
source:
kind: Authomize
author:
name: Steven Riley
support:
tier: support@authomize.com

57
Solutions/Authomize/Analytic Rules/IaaS_policy_not_attached_to_any_identity.yaml Normal file
Просмотреть файл

@ -0,0 +1,57 @@
id: 57bae0c4-50b7-4552-9de9-19dfecddbace
name: IaaS policy not attached to any identity
kind: Scheduled
description: The rule detects AWS policies that are not attached to any identities, meaning they can be deleted.
severity: Informational
status: Available
queryFrequency: 30m
queryPeriod: 30m
triggerOperator: gt
triggerThreshold: 0
tactics:
- PrivilegeEscalation
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "IaaS policy not attached to any identity"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
requiredDataConnectors:
- connectorId: Authomize
dataTypes: [ "Authomize_v2_CL" ]
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: AnyAlert
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
eventGroupingSettings:
aggregationKind: SingleAlert
alertDetailsOverride:
alertnameFormat: Alert from Authomize - IaaS policy not attached to any identity
alertDescriptionFormat: IaaS policy not attached to any identity. The rule detects 'IaaS policies' attached to a role that has not used them during the past X days. It is recommended to remove unused policies from identities to reduce risk.
alertSeverity: Severity
alertTactics: Tactics
alertDynamicProperties:
- alertProperty: AlertLink
value: URL
customDetails:
AuthomizeEventID: EventID
EventName: Policy
EventDescription: Description
EventRecommendation: Recommendation
ReferencedURL: URL
suppressionDuration: 5h
suppressionEnabled: false
version: 1.0.0
metadata:
source:
kind: Authomize
author:
name: Steven Riley
support:
tier: support@authomize.com

60
Solutions/Authomize/Analytic Rules/IaaS_shadow_admin_detected.yaml Normal file
Просмотреть файл

@ -0,0 +1,60 @@
id: 31f43e9d-1839-4baf-a668-54c28b98af3e
name: IaaS shadow admin detected
kind: Scheduled
description: The policy detects shadow admin users in AWS or Azure.
severity: High
status: Available
queryFrequency: 30m
queryPeriod: 30m
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1078
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "IaaS shadow admin detected"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
requiredDataConnectors:
- connectorId: Authomize
dataTypes: [ "Authomize_v2_CL" ]
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: AnyAlert
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
eventGroupingSettings:
aggregationKind: SingleAlert
alertDetailsOverride:
alertnameFormat: Alert from Authomize - IaaS shadow admin detected
alertDescriptionFormat: |
IaaS shadow admin detected. The policy detects shadow admin users in AWS or Azure.
alertSeverity: Severity
alertTactics: Tactics
alertDynamicProperties:
- alertProperty: AlertLink
value: URL
customDetails:
AuthomizeEventID: EventID
EventName: Policy
EventDescription: Description
EventRecommendation: Recommendation
ReferencedURL: URL
suppressionDuration: 5h
suppressionEnabled: false
version: 1.0.0
metadata:
source:
kind: Authomize
author:
name: Steven Riley
support:
tier: support@authomize.com

62
Solutions/Authomize/Analytic Rules/New_direct_access_policy_was_granted.yaml Normal file
Просмотреть файл

@ -0,0 +1,62 @@
id: d7ee7bb5-d712-4d44-b201-b13379924934
name: New direct access policy was granted against organizational policy
kind: Scheduled
description: This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps.
severity: Low
status: Available
queryFrequency: 30m
queryPeriod: 30m
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
- PrivilegeEscalation
relevantTechniques:
- T1078
- T1078
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "New direct access policy was granted against organizational policy"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
requiredDataConnectors:
- connectorId: Authomize
dataTypes: [ "Authomize_v2_CL" ]
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: AnyAlert
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
eventGroupingSettings:
aggregationKind: SingleAlert
alertDetailsOverride:
alertnameFormat: Alert from Authomize - New direct access policy was granted against organizational policy
alertDescriptionFormat: |
New direct access policy was granted against organizational policy. This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps.
alertSeverity: Severity
alertTactics: Tactics
alertDynamicProperties:
- alertProperty: AlertLink
value: URL
customDetails:
AuthomizeEventID: EventID
EventName: Policy
EventDescription: Description
EventRecommendation: Recommendation
ReferencedURL: URL
suppressionDuration: 5h
suppressionEnabled: false
version: 1.0.0
metadata:
source:
kind: Authomize
author:
name: Steven Riley
support:
tier: support@authomize.com

57
Solutions/Authomize/Analytic Rules/New_service_account_gained_access_to_IaaS_resource.yaml Normal file
Просмотреть файл

@ -0,0 +1,57 @@
id: 6c17f270-cd56-48cc-9196-1728ffea6538
name: New service account gained access to IaaS resource
kind: Scheduled
description: This policy detects when an application or service account gained new access to your assets. This policy is defined by Authomize and can be edited to change the configuration.
severity: Informational
status: Available
queryFrequency: 30m
queryPeriod: 30m
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "New service account gained access to IaaS resource"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
requiredDataConnectors:
- connectorId: Authomize
dataTypes: [ "Authomize_v2_CL" ]
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: AnyAlert
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
eventGroupingSettings:
aggregationKind: SingleAlert
alertDetailsOverride:
alertnameFormat: Alert from Authomize - New service account gained access to IaaS resource
alertDescriptionFormat: New service account gained access to IaaS resource. This policy detects when an application or service account gained new access to your assets. This policy is defined by Authomize and can be edited to change the configuration.
alertSeverity: Severity
alertTactics: Tactics
alertDynamicProperties:
- alertProperty: AlertLink
value: URL
customDetails:
AuthomizeEventID: EventID
EventName: Policy
EventDescription: Description
EventRecommendation: Recommendation
ReferencedURL: URL
suppressionDuration: 5h
suppressionEnabled: false
version: 1.0.0
metadata:
source:
kind: Authomize
author:
name: Steven Riley
support:
tier: support@authomize.com

62
Solutions/Authomize/Analytic Rules/Password_Exfiltration_over_SCIM.yaml Normal file
Просмотреть файл

@ -0,0 +1,62 @@
id: 2e3c4ad5-8cb3-4b46-88ff-a88367ee7eaa
name: Password Exfiltration over SCIM application
kind: Scheduled
description: This rule detects suspicious sync events that occurred to applications using SCIM for user provisioning.
severity: High
status: Available
queryFrequency: 30m
queryPeriod: 30m
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
- InitialAccess
relevantTechniques:
- T1555
- T1040
- T1552
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Password Exfiltration over SCIM application"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
requiredDataConnectors:
- connectorId: Authomize
dataTypes: [ "Authomize_v2_CL" ]
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: AnyAlert
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
eventGroupingSettings:
aggregationKind: SingleAlert
alertDetailsOverride:
alertnameFormat: Alert from Authomize - Password Exfiltration over SCIM application
alertDescriptionFormat: Password Exfiltration over SCIM application. This policy detects suspicious sync events that occurred to applications using SCIM for user provisioning.
alertSeverity: Severity
alertTactics: Tactics
alertDynamicProperties:
- alertProperty: AlertLink
value: URL
customDetails:
AuthomizeEventID: EventID
EventName: Policy
EventDescription: Description
EventRecommendation: Recommendation
ReferencedURL: URL
suppressionDuration: 5h
suppressionEnabled: false
version: 1.0.0
metadata:
source:
kind: Authomize
author:
name: Steven Riley
support:
tier: support@authomize.com

60
Solutions/Authomize/Analytic Rules/Privileged_Machines_Exposed_to_the_Internet.yaml Normal file
Просмотреть файл

@ -0,0 +1,60 @@
id: 72891de4-da70-44e4-9984-35fcea98d000
name: Privileged Machines Exposed to the Internet
kind: Scheduled
description: These are AWS Ec2 machines that are exposed to the internet. You can further filter by tags so that you can, for example, find exposed machines that are also "privileged".
severity: High
status: Available
queryFrequency: 30m
queryPeriod: 30m
triggerOperator: gt
triggerThreshold: 0
tactics:
- Discovery
- Impact
relevantTechniques:
- T1580
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Privileged Machines Exposed to the Internet"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
requiredDataConnectors:
- connectorId: Authomize
dataTypes: [ "Authomize_v2_CL" ]
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: AnyAlert
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
eventGroupingSettings:
aggregationKind: SingleAlert
alertDetailsOverride:
alertnameFormat: Alert from Authomize - Privileged Machines Exposed to the Internet
alertDescriptionFormat: Privileged Machines Exposed to the Internet. These are AWS Ec2 machines that are exposed to the internet. You can further filter by tags so that you can, for example, find exposed machines that are also "privileged".
alertSeverity: Severity
alertTactics: Tactics
alertDynamicProperties:
- alertProperty: AlertLink
value: URL
customDetails:
AuthomizeEventID: EventID
EventName: Policy
EventDescription: Description
EventRecommendation: Recommendation
ReferencedURL: URL
suppressionDuration: 5h
suppressionEnabled: false
version: 1.0.0
metadata:
source:
kind: Authomize
author:
name: Steven Riley
support:
tier: support@authomize.com

59
Solutions/Authomize/Analytic Rules/Refactor_AWS_policy_based_on_activities.yaml Normal file
Просмотреть файл

@ -0,0 +1,59 @@
id: 642de064-c67b-4eb7-98bd-3f8cd51f282c
name: Refactor AWS policy based on activities in the last 60 days
kind: Scheduled
description: This is a recommended update to IAM policy on AWS. Review the policy and apply it according to change control process. Authomize will have a recommended policy to be downloaded.
severity: High
status: Available
queryFrequency: 30m
queryPeriod: 30m
triggerOperator: gt
triggerThreshold: 0
tactics:
- PrivilegeEscalation
relevantTechniques:
- T1078
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Refactor AWS policy based on activities in the last 60 days."
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
requiredDataConnectors:
- connectorId: Authomize
dataTypes: [ "Authomize_v2_CL" ]
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: AnyAlert
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
eventGroupingSettings:
aggregationKind: SingleAlert
alertDetailsOverride:
alertnameFormat: Alert from Authomize - Refactor AWS policy based on activities in the last 60 days
alertDescriptionFormat: Refactor AWS policy based on activities in the last 60 days. This is a recommended update to IAM policy on AWS. Review the policy and apply it according to change control process. Authomize will have a recommended policy to be downloaded.
alertSeverity: Severity
alertTactics: Tactics
alertDynamicProperties:
- alertProperty: AlertLink
value: URL
customDetails:
AuthomizeEventID: EventID
EventName: Policy
EventDescription: Description
EventRecommendation: Recommendation
ReferencedURL: URL
suppressionDuration: 5h
suppressionEnabled: false
version: 1.0.0
metadata:
source:
kind: Authomize
author:
name: Steven Riley
support:
tier: support@authomize.com

60
Solutions/Authomize/Analytic Rules/Stale_AWS_policy_attachment_to_identity.yaml Normal file
Просмотреть файл

@ -0,0 +1,60 @@
id: 766a3b1b-0d5b-4a8d-b0d6-7dd379e73567
name: Stale AWS policy attachment to identity
kind: Scheduled
description: |2-
The policy detects 'AWS policies' attached to IAM users or roles that have not used it during the last X days. It is recommended to remove unused policies from identities to reduce risk.
severity: Low
status: Available
queryFrequency: 30m
queryPeriod: 30m
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1078
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Stale AWS policy attachment to identity"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
requiredDataConnectors:
- connectorId: Authomize
dataTypes: [ "Authomize_v2_CL" ]
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: AnyAlert
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
eventGroupingSettings:
aggregationKind: SingleAlert
alertDetailsOverride:
alertnameFormat: Alert from Authomize - Stale AWS policy attachment to identity
alertDescriptionFormat: Stale AWS policy attachment to identity. The policy detects 'AWS policies' attached to IAM users or roles that have not used it during the last X days. It is recommended to remove unused policies from identities to reduce risk.
alertSeverity: Severity
alertTactics: Tactics
alertDynamicProperties:
- alertProperty: AlertLink
value: URL
customDetails:
AuthomizeEventID: EventID
EventName: Policy
EventDescription: Description
EventRecommendation: Recommendation
ReferencedURL: URL
suppressionDuration: 5h
suppressionEnabled: false
version: 1.0.0
metadata:
source:
kind: Authomize
author:
name: Steven Riley
support:
tier: support@authomize.com

57
Solutions/Authomize/Analytic Rules/Stale_IAAS_policy_attachment_to_role.yaml Normal file
Просмотреть файл

@ -0,0 +1,57 @@
id: ccdf3f87-7890-4549-9d0f-8f43c1d2751d
name: Stale IAAS policy attachment to role
kind: Scheduled
description: The rule detects 'IaaS policies' attached to a role that has not used them during the past X days. It is recommended to remove unused policies from identities to reduce risk.
severity: Informational
status: Available
queryFrequency: 30m
queryPeriod: 30m
triggerOperator: gt
triggerThreshold: 0
tactics:
- PrivilegeEscalation
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Stale IAAS policy attachment to role"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
requiredDataConnectors:
- connectorId: Authomize
dataTypes: [ "Authomize_v2_CL" ]
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: AnyAlert
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
eventGroupingSettings:
aggregationKind: SingleAlert
alertDetailsOverride:
alertnameFormat: Alert from Authomize - Stale IAAS policy attachment to role
alertDescriptionFormat: Stale IAAS policy attachment to role. The rule detects 'IaaS policies' attached to a role that has not used them during the past X days.It is recommended to remove unused policies from identities to reduce risk.
alertSeverity: Severity
alertTactics: Tactics
alertDynamicProperties:
- alertProperty: AlertLink
value: URL
customDetails:
AuthomizeEventID: EventID
EventName: Policy
EventDescription: Description
EventRecommendation: Recommendation
ReferencedURL: URL
suppressionDuration: 5h
suppressionEnabled: false
version: 1.0.0
metadata:
source:
kind: Authomize
author:
name: Steven Riley
support:
tier: support@authomize.com

63
Solutions/Authomize/Analytic Rules/Unused_IaaS_Policy.yaml Normal file
Просмотреть файл

@ -0,0 +1,63 @@
id: e0ae5f9e-865b-41f5-98bb-c04113888e85
name: Unused IaaS Policy
kind: Scheduled
description: The policy detects 'IaaS policies' that no one in the account has been using during the last X days.
severity: High
status: Available
queryFrequency: 30m
queryPeriod: 30m
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
- PrivilegeEscalation
relevantTechniques:
- T1078
- T1068
- T1078
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Unused IaaS Policy"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
requiredDataConnectors:
- connectorId: Authomize
dataTypes: [ "Authomize_v2_CL" ]
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: AnyAlert
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
eventGroupingSettings:
aggregationKind: SingleAlert
alertDetailsOverride:
alertnameFormat: Alert from Authomize - Unused IaaS Policy
alertDescriptionFormat: |
Unused IaaS Policy. The policy detects 'IaaS policies' that no one in the account has been using during the last X days.
alertSeverity: Severity
alertTactics: Tactics
alertDynamicProperties:
- alertProperty: AlertLink
value: URL
customDetails:
AuthomizeEventID: EventID
EventName: Policy
EventDescription: Description
EventRecommendation: Recommendation
ReferencedURL: URL
suppressionDuration: 5h
suppressionEnabled: false
version: 1.0.0
metadata:
source:
kind: Authomize
author:
name: Steven Riley
support:
tier: support@authomize.com

60
Solutions/Authomize/Analytic Rules/User_assigned_to_a_default_admin_role.yaml Normal file
Просмотреть файл

@ -0,0 +1,60 @@
id: c04ed74c-3b23-48cd-9c11-fd10cffddc64
name: User assigned to a default admin role
kind: Scheduled
description: The policy detects users that were assigned to one of the systems default admin roles.
severity: High
status: Available
queryFrequency: 30m
queryPeriod: 30m
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1078
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "User assigned to a default admin role"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
requiredDataConnectors:
- connectorId: Authomize
dataTypes: [ "Authomize_v2_CL" ]
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: AnyAlert
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
eventGroupingSettings:
aggregationKind: SingleAlert
alertDetailsOverride:
alertnameFormat: Alert from Authomize - User assigned to a default admin role
alertDescriptionFormat: |
User assigned to a default admin role. The rule detects users that were assigned to one of the systems default admin roles.
alertSeverity: Severity
alertTactics: Tactics
alertDynamicProperties:
- alertProperty: AlertLink
value: URL
customDetails:
AuthomizeEventID: EventID
EventName: Policy
EventDescription: Description
EventRecommendation: Recommendation
ReferencedURL: URL
suppressionDuration: 5h
suppressionEnabled: false
version: 1.0.0
metadata:
source:
kind: Authomize
author:
name: Steven Riley
support:
tier: support@authomize.com

60
Solutions/Authomize/Analytic Rules/User_without_MFA.yaml Normal file
Просмотреть файл

@ -0,0 +1,60 @@
id: 71a7b0de-f13d-44b9-9caa-668f1bad0ce6
name: User without MFA
kind: Scheduled
description: The policy detects user accounts without mutli-factor authentication
severity: Medium
status: Available
queryFrequency: 30m
queryPeriod: 30m
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1078
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "User without MFA"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
requiredDataConnectors:
- connectorId: Authomize
dataTypes: [ "Authomize_v2_CL" ]
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: AnyAlert
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
eventGroupingSettings:
aggregationKind: SingleAlert
alertDetailsOverride:
alertnameFormat: Alert from Authomize - User without MFA
alertDescriptionFormat: |
User without MFA. The policy detects user accounts without mutli-factor authentication
alertSeverity: Severity
alertTactics: Tactics
alertDynamicProperties:
- alertProperty: AlertLink
value: URL
customDetails:
AuthomizeEventID: EventID
EventName: Policy
EventDescription: Description
EventRecommendation: Recommendation
ReferencedURL: URL
suppressionDuration: 5h
suppressionEnabled: false
version: 1.0.0
metadata:
source:
kind: Authomize
author:
name: Steven Riley
support:
tier: support@authomize.com

Двоичные данные
Solutions/Authomize/Data Connectors/AuthomizeSentinelConnector.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

158
Solutions/Authomize/Data Connectors/AuthomizeSentinelConnector/__init__.py Normal file
Просмотреть файл

@ -0,0 +1,158 @@
import datetime
import logging
import json
import requests
import os
from azureworker import post_data
from datetime import datetime, timezone
from azure.identity import DefaultAzureCredential
from azure.storage.blob import BlobClient
from azure.keyvault.secrets import SecretClient
from azure.core.exceptions import ResourceNotFoundError
from azure.data.tables import TableServiceClient, TableEntity
import azure.functions as func
def GetJSONData(nextPage, TheCurrentDateTime, last_run_datetime=None):
filter_criteria = {
"createdAt": {
"$lte": TheCurrentDateTime
},
"status": {
"$in": ["Open"]
}
}
if last_run_datetime:
filter_criteria["createdAt"]["$gte"] = last_run_datetime
return {
"filter": filter_criteria,
"expand": [
"policy"
],
"sort": [
{
"fieldName": "createdAt",
"order": "ASC"
}
],
"pagination": {
"limit": 10,
"nextPage": nextPage
}
}
def DateInZulu(currentDate):
currentDate = datetime.now(timezone.utc).isoformat()
return currentDate
def get_datetime(storage_connection_string, table_name, entity_id):
try:
table_service_client = TableServiceClient.from_connection_string(storage_connection_string)
table_client = table_service_client.get_table_client(table_name)
entity = table_client.get_entity(partition_key='datetime', row_key=entity_id)
return entity.get('datetime')
except ResourceNotFoundError:
return None
def set_datetime(storage_connection_string, table_name, entity_id, datetime_value):
table_service_client = TableServiceClient.from_connection_string(storage_connection_string)
table_client = table_service_client.get_table_client(table_name)
entity = TableEntity(partition_key='datetime', row_key=entity_id, datetime=datetime_value)
try:
table_client.upsert_entity(entity)
except ResourceNotFoundError:
table_client.create_entity(entity)
def searchIncident():
logging.info('Python trigger function processed a request.')
# Set Constants
log_type = "Authomize_v2" # Sentinel Log Table
URL = "https://api.authomize.com/v2/incidents/search" # Authomize API Endpoint
# Retrieve secrets from Azure Key Vault
credential = DefaultAzureCredential()
vault_url = "https://authpt.vault.azure.net/"
secret_client = SecretClient(vault_url=vault_url, credential=credential)
token_secret = secret_client.get_secret("authomizeToken")
token = token_secret.value
customer_id_secret = secret_client.get_secret("CustomerID")
customer_id = customer_id_secret.value
shared_key_secret = secret_client.get_secret("sharedKey")
shared_key = shared_key_secret.value
# Access Azure Table Storage
storage_connection_string = os.getenv("AzureWebJobsStorage")
table_name = "authomizeDate"
entity_id = "last_run_datetime"
last_run_datetime = get_datetime(storage_connection_string, table_name, entity_id)
TheCurrentDateTime = DateInZulu(datetime.now(timezone.utc))
theheaders = {
'Authorization': token,
'Content-Type': 'application/json'
}
logging.info("Status: Started processing.")
MyCounter = 0
nextPage = ""
while True:
MyCounter += 1
logging.info(f"INFO: --Processing-- [{MyCounter}]")
JsonData = GetJSONData(nextPage, TheCurrentDateTime, last_run_datetime)
theData = json.dumps(JsonData)
try:
response = requests.post(url=URL, data=theData, headers=theheaders, timeout=10)
response.raise_for_status()
except requests.RequestException as e:
logging.warning(f"An error occurred making the API request: {e}")
break
try:
response_json = response.json()
# Handling data element
data_element = response_json.get('data', [])
if data_element:
body = json.dumps(data_element)
try:
post_data(customer_id, shared_key, body, log_type)
except Exception as e:
logging.exception(f"Error posting data: {e}")
else:
logging.info(f"INFO: No data to send, skipping process steps.")
# Handling pagination
pagination = response_json.get('pagination', {})
if pagination.get('hasMore'):
nextPage = pagination.get('nextPage', "")
else:
logging.info(f"Status: Stopped processing.")
break
except Exception as e:
logging.exception(f"Error processing response JSON: {e}")
break
# Update the timestamp in the table at the end of processing
set_datetime(storage_connection_string, table_name, entity_id, TheCurrentDateTime)
def main(mytimer: func.TimerRequest) -> None:
utc_timestamp = datetime.datetime.utcnow().replace(
tzinfo=datetime.timezone.utc).isoformat()
if mytimer.past_due:
logging.info('The timer is past due!')
logging.info('Python timer trigger function ran at %s', utc_timestamp)
searchIncident()

53
Solutions/Authomize/Data Connectors/AuthomizeSentinelConnector/azureworker.py Normal file
Просмотреть файл

@ -0,0 +1,53 @@
import requests
import datetime
import hashlib
import hmac
import base64
import logging
# Build the API signature
def build_signature(customer_id, shared_key, date, content_length, method, content_type, resource):
try:
x_headers = 'x-ms-date:' + date
string_to_hash = method + "\n" + str(content_length) + "\n" + content_type + "\n" + x_headers + "\n" + resource
bytes_to_hash = bytes(string_to_hash, encoding="utf-8")
decoded_key = base64.b64decode(shared_key)
except Exception as e:
logging.exception(f"Error decoding shared_key: {e}")
return None
encoded_hash = base64.b64encode(hmac.new(decoded_key, bytes_to_hash, digestmod=hashlib.sha256).digest()).decode()
authorization = "SharedKey {}:{}".format(customer_id,encoded_hash)
return authorization
# Build and send a request to the POST API
def post_data(customer_id, shared_key, body, log_type):
method = 'POST'
content_type = 'application/json'
resource = '/api/logs'
rfc1123date = datetime.datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT')
content_length = len(body)
signature = build_signature(customer_id, shared_key, rfc1123date, content_length, method, content_type, resource)
if signature is None:
return
uri = 'https://' + customer_id + '.ods.opinsights.azure.com' + resource + '?api-version=2016-04-01'
headers = {
'content-type': content_type,
'Authorization': signature,
'Log-Type': log_type,
'x-ms-date': rfc1123date
}
try:
response = requests.post(uri, data=body, headers=headers)
except requests.RequestException as e:
logging.error(f"Error sending data to Sentinel: {e}")
return
if 200 <= response.status_code < 300:
logging.info(f"Data sent to Sentinel.")
else:
logging.error(f"Response code: {response.status_code}, Response content: {response.content}")

11
Solutions/Authomize/Data Connectors/AuthomizeSentinelConnector/function.json Normal file
Просмотреть файл

@ -0,0 +1,11 @@
{
"scriptFile": "__init__.py",
"bindings": [
{
"name": "mytimer",
"type": "timerTrigger",
"direction": "in",
"schedule": "0 */50 * * * *"
}
]
}

15
Solutions/Authomize/Data Connectors/host.json Normal file
Просмотреть файл

@ -0,0 +1,15 @@
{
"version": "2.0",
"logging": {
"applicationInsights": {
"samplingSettings": {
"isEnabled": true,
"excludedTypes": "Request"
}
}
},
"extensionBundle": {
"id": "Microsoft.Azure.Functions.ExtensionBundle",
"version": "[3.*, 4.0.0)"
}
}

6
Solutions/Authomize/Data Connectors/requirements.txt Normal file
Просмотреть файл

@ -0,0 +1,6 @@
# DO NOT include azure-functions-worker in this file
# The Python Worker is managed by Azure Functions platform
# Manually managing azure-functions-worker may cause unexpected issues
Azure-functions
requests==2.31.0

52
Solutions/Authomize/Data/Solution_Authomize.json Normal file
Просмотреть файл

@ -0,0 +1,52 @@
{
"Name": "Authomize",
"Author": "Authomize - support@authomize.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Authomize.svg\" width=\"75px\" height=\"75px\">",
"Description": "The Authomize Solution integrates Authomize with Microsoft Sentinel to monitor and analyze security events from Authomize.",
"Workbooks": [
"Workbooks/Authomize.json"
],
"Analytic Rules": [
"Analytic Rules/Access_to_AWS_without_MFA.yaml",
"Analytic Rules/Admin_password_wasnt_updated.yaml",
"Analytic Rules/Admin_SaaS_account_detected.yaml",
"Analytic Rules/AWS_role_with_admin_privileges.yaml",
"Analytic Rules/AWS_role_with_shadow_admin_privileges.yaml",
"Analytic Rules/Chain_of_3_or_more_roles.yaml",
"Analytic Rules/Detect_AWS_IAM_Users.yaml",
"Analytic Rules/Empty_group_with_entitlements.yaml",
"Analytic Rules/IaaS_admin_detected.yaml",
"Analytic Rules/IaaS_policy_not_attached_to_any_identity.yaml",
"Analytic Rules/IaaS_shadow_admin_detected.yaml",
"Analytic Rules/New_direct_access_policy_was_granted.yaml",
"Analytic Rules/New_service_account_gained_access_to_IaaS_resource.yaml",
"Analytic Rules/Password_Exfiltration_over_SCIM.yaml",
"Analytic Rules/Privileged_Machines_Exposed_to_the_Internet.yaml",
"Analytic Rules/Refactor_AWS_policy_based_on_activities.yaml",
"Analytic Rules/Stale_AWS_policy_attachment_to_identity.yaml",
"Analytic Rules/Stale_IAAS_policy_attachment_to_role.yaml",
"Analytic Rules/Unused_IaaS_Policy.yaml",
"Analytic Rules/User_assigned_to_a_default_admin_role.yaml",
"Analytic Rules/User_without_MFA.yaml"
],
"Hunting Queries": [
"/Hunting queries/Admin_SaaS_account_detected.yml",
"/Hunting queries/Chain_of_3_or_more_roles.yaml",
"/Hunting queries/IaaS_admin_detected.yaml",
"/Hunting queries/IaaS_shadow_admin_detected.yaml",
"/Hunting queries/Password_Exfiltration_over_SCIM_application.yaml",
"/Hunting queries/Privileged_Machines_Exposed_to_the_Internet.yaml"
],
"Data Connectors": [
"Data Connectors/AuthomizeCustomConnector.json"
],
"Watchlists": [],
"WatchlistDescription": [],
"BasePath": "/Users/stevenriley/Documents/GitHub/Azure-Sentinel/Solutions/Authomize",
"Version": "2.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false
}

31
Solutions/Authomize/Hunting queries/Admin_SaaS_account_detected.yml Normal file
Просмотреть файл

@ -0,0 +1,31 @@
id: b3430fb5-78aa-4729-8595-f66c06138478
name: Admin SaaS account detected
description: |
'detects internal admins accounts, it's recommended to review any new administrative permission.'
requiredDataConnectors:
- connectorId: Authomize
dataTypes:
- Authomize_v2_CL
tactics:
- PrivilegeEscalation
relevantTechniques:
- T1089
query: |
Authomize_v2_CL
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Admin SaaS account detected"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
| extend CloudApplication_0_Name = Policy
entityMappings:
- entityType: CloudApplication
fieldMappings:
- identifier: Name
columnName: Policy
version: 1.0.0
metadata:
source:
kind: Authomize
author:
name: Steven Riley
support:
tier: support@authomize.com

31
Solutions/Authomize/Hunting queries/Chain_of_3_or_more_roles.yaml Normal file
Просмотреть файл

@ -0,0 +1,31 @@
id: bf03796a-3ed7-440f-bfc3-0c702cf762a9
name: ateral Movement Risk - Role Chain Length
description: |
'detects chains of more than 3 roles in the account, this is a misconfiguration that can enable lateral movement.'
requiredDataConnectors:
- connectorId: Authomize
dataTypes:
- Authomize_v2_CL
tactics:
- PrivilegeEscalation
relevantTechniques:
- T1089
query: |
Authomize_v2_CL
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Chain of 3 or more roles"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
| extend CloudApplication_0_Name = Policy
entityMappings:
- entityType: CloudApplication
fieldMappings:
- identifier: Name
columnName: Policy
version: 1.0.0
metadata:
source:
kind: Authomize
author:
name: Steven Riley
support:
tier: support@authomize.com

31
Solutions/Authomize/Hunting queries/IaaS_admin_detected.yaml Normal file
Просмотреть файл

@ -0,0 +1,31 @@
id: ab80b41c-23e5-4264-ac23-806aad2a57af
name: IaaS admin detected
description: |
'detects admin users in AWS or Azure.'
requiredDataConnectors:
- connectorId: Authomize
dataTypes:
- Authomize_v2_CL
tactics:
- PrivilegeEscalation
relevantTechniques:
- T1089
query: |
Authomize_v2_CL
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "IaaS admin detected"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
| extend CloudApplication_0_Name = Policy
entityMappings:
- entityType: CloudApplication
fieldMappings:
- identifier: Name
columnName: Policy
version: 1.0.0
metadata:
source:
kind: Authomize
author:
name: Steven Riley
support:
tier: support@authomize.com

31
Solutions/Authomize/Hunting queries/IaaS_shadow_admin_detected.yaml Normal file
Просмотреть файл

@ -0,0 +1,31 @@
id: fad675f5-b743-40c6-873d-019de93f18db
name: IaaS shadow admin detected
description: |
'detects shadow admin users in AWS or Azure.'
requiredDataConnectors:
- connectorId: Authomize
dataTypes:
- Authomize_v2_CL
tactics:
- PrivilegeEscalation
relevantTechniques:
- T1089
query: |
Authomize_v2_CL
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "IaaS shadow admin detected"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
| extend CloudApplication_0_Name = Policy
entityMappings:
- entityType: CloudApplication
fieldMappings:
- identifier: Name
columnName: Policy
version: 1.0.0
metadata:
source:
kind: Authomize
author:
name: Steven Riley
support:
tier: support@authomize.com

35
Solutions/Authomize/Hunting queries/Password_Exfiltration_over_SCIM_application.yaml Normal file
Просмотреть файл

@ -0,0 +1,35 @@
id: 485e7cab-131e-40ce-9482-791e681b7967
name: Password Exfiltration over SCIM application
description: |
'detects suspicious sync events that occurred to applications using SCIM for user provisioning.'
requiredDataConnectors:
- connectorId: Authomize
dataTypes:
- Authomize_v2_CL
tactics:
- CredentialAccess
relevantTechniques:
- T1555
- T1040
- T1552
- T1555.003
- T1552.005
query: |
Authomize_v2_CL
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Password Exfiltration over SCIM"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
| extend CloudApplication_0_Name = Policy
entityMappings:
- entityType: CloudApplication
fieldMappings:
- identifier: Name
columnName: Policy
version: 1.0.0
metadata:
source:
kind: Authomize
author:
name: Steven Riley
support:
tier: support@authomize.com

31
Solutions/Authomize/Hunting queries/Privileged_Machines_Exposed_to_the_Internet.yaml Normal file
Просмотреть файл

@ -0,0 +1,31 @@
id: 7457a420-8c28-4ce2-a55e-d050e5a6bc4f
name: Privileged Machines Exposed to the Internet
description: |
'detects AWS instances which are exposed to the internet and can assume privileged roles. This is a default definition by Authomize and can be updated using the edit model.'
requiredDataConnectors:
- connectorId: Authomize
dataTypes:
- Authomize_v2_CL
tactics:
- Discovery
relevantTechniques:
- T1613
query: |
Authomize_v2_CL
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Privileged Machines Exposed to the Internet"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
| extend CloudApplication_0_Name = Policy
entityMappings:
- entityType: CloudApplication
fieldMappings:
- identifier: Name
columnName: Policy
version: 1.0.0
metadata:
source:
kind: Authomize
author:
name: Steven Riley
support:
tier: support@authomize.com

Двоичные данные
Solutions/Authomize/Package/2.0.0.zip Normal file
Просмотреть файл

Двоичный файл не отображается.

543
Solutions/Authomize/Package/createUiDefinition.json Normal file
Просмотреть файл

@ -0,0 +1,543 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Authomize.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Authomize Solution integrates Authomize with Microsoft Sentinel to monitor and analyze security events from Authomize.\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 21, **Hunting Queries:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for Authomize. You can get Authomize custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
},
{
"name": "workbooks",
"label": "Workbooks",
"subLabel": {
"preValidation": "Configure the workbooks",
"postValidation": "Done"
},
"bladeTitle": "Workbooks",
"elements": [
{
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
}
},
{
"name": "workbooks-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
}
}
},
{
"name": "workbook1",
"type": "Microsoft.Common.Section",
"label": "Authomize ITDR Event Monitoring for Identities",
"elements": [
{
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Manage your Authorization Security Lifecycle across all XaaS environments and Private Clouds. Using Authomize AI-based engine continuously monitor the relationships between identities and assets and gain insight into security risks and events."
}
}
]
}
]
},
{
"name": "analytics",
"label": "Analytics",
"subLabel": {
"preValidation": "Configure the analytics",
"postValidation": "Done"
},
"bladeTitle": "Analytics",
"elements": [
{
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
}
},
{
"name": "analytics-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "Access to AWS without MFA",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This detects users with access to AWS (IAM or Federated via Okta) without enabled MFA. This is a default definition by Authomize and can be updated using the edit modal."
}
}
]
},
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
"label": "Admin password not updated in 30 days",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The policy detects an administrative account where the password of the account was not updated in the last 30 days."
}
}
]
},
{
"name": "analytic3",
"type": "Microsoft.Common.Section",
"label": "Admin SaaS account detected",
"elements": [
{
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The rule detects internal admins accounts, it's recommended to review any new administrative permission."
}
}
]
},
{
"name": "analytic4",
"type": "Microsoft.Common.Section",
"label": "AWS role with admin privileges",
"elements": [
{
"name": "analytic4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The policy detects the creation of new AWS roles with administrative privileges. The policy configuration allows limiting the policy to specific accounts."
}
}
]
},
{
"name": "analytic5",
"type": "Microsoft.Common.Section",
"label": "AWS role with shadow admin privileges",
"elements": [
{
"name": "analytic5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The policy detect the creation of new AWS roles with shadow admin privileges. The policy configuration allows limiting the policy to specific accounts."
}
}
]
},
{
"name": "analytic6",
"type": "Microsoft.Common.Section",
"label": "Lateral Movement Risk - Role Chain Length",
"elements": [
{
"name": "analytic6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The policy detects chains of more than 3 roles in the account, this is a misconfiguration that can enable lateral movement."
}
}
]
},
{
"name": "analytic7",
"type": "Microsoft.Common.Section",
"label": "Detect AWS IAM Users",
"elements": [
{
"name": "analytic7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The policy detects IAM users across your AWS accounts, a practice that should be kept only for a small number of accounts. This is a default definition by Authomize and can be updated using the edit modal."
}
}
]
},
{
"name": "analytic8",
"type": "Microsoft.Common.Section",
"label": "Empty group with entitlements",
"elements": [
{
"name": "analytic8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The rule detects empty groups with entitlements."
}
}
]
},
{
"name": "analytic9",
"type": "Microsoft.Common.Section",
"label": "IaaS admin detected",
"elements": [
{
"name": "analytic9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The policy detects admin users in AWS or Azure."
}
}
]
},
{
"name": "analytic10",
"type": "Microsoft.Common.Section",
"label": "IaaS policy not attached to any identity",
"elements": [
{
"name": "analytic10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The rule detects AWS policies that are not attached to any identities, meaning they can be deleted."
}
}
]
},
{
"name": "analytic11",
"type": "Microsoft.Common.Section",
"label": "IaaS shadow admin detected",
"elements": [
{
"name": "analytic11-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The policy detects shadow admin users in AWS or Azure."
}
}
]
},
{
"name": "analytic12",
"type": "Microsoft.Common.Section",
"label": "New direct access policy was granted against organizational policy",
"elements": [
{
"name": "analytic12-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps."
}
}
]
},
{
"name": "analytic13",
"type": "Microsoft.Common.Section",
"label": "New service account gained access to IaaS resource",
"elements": [
{
"name": "analytic13-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This policy detects when an application or service account gained new access to your assets. This policy is defined by Authomize and can be edited to change the configuration."
}
}
]
},
{
"name": "analytic14",
"type": "Microsoft.Common.Section",
"label": "Password Exfiltration over SCIM application",
"elements": [
{
"name": "analytic14-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This rule detects suspicious sync events that occurred to applications using SCIM for user provisioning."
}
}
]
},
{
"name": "analytic15",
"type": "Microsoft.Common.Section",
"label": "Privileged Machines Exposed to the Internet",
"elements": [
{
"name": "analytic15-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "These are AWS Ec2 machines that are exposed to the internet. You can further filter by tags so that you can, for example, find exposed machines that are also \"privileged\"."
}
}
]
},
{
"name": "analytic16",
"type": "Microsoft.Common.Section",
"label": "Refactor AWS policy based on activities in the last 60 days",
"elements": [
{
"name": "analytic16-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This is a recommended update to IAM policy on AWS. Review the policy and apply it according to change control process. Authomize will have a recommended policy to be downloaded."
}
}
]
},
{
"name": "analytic17",
"type": "Microsoft.Common.Section",
"label": "Stale AWS policy attachment to identity",
"elements": [
{
"name": "analytic17-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The policy detects 'AWS policies' attached to IAM users or roles that have not used it during the last X days. It is recommended to remove unused policies from identities to reduce risk."
}
}
]
},
{
"name": "analytic18",
"type": "Microsoft.Common.Section",
"label": "Stale IAAS policy attachment to role",
"elements": [
{
"name": "analytic18-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The rule detects 'IaaS policies' attached to a role that has not used them during the past X days. It is recommended to remove unused policies from identities to reduce risk."
}
}
]
},
{
"name": "analytic19",
"type": "Microsoft.Common.Section",
"label": "Unused IaaS Policy",
"elements": [
{
"name": "analytic19-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The policy detects 'IaaS policies' that no one in the account has been using during the last X days."
}
}
]
},
{
"name": "analytic20",
"type": "Microsoft.Common.Section",
"label": "User assigned to a default admin role",
"elements": [
{
"name": "analytic20-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The policy detects users that were assigned to one of the systems default admin roles."
}
}
]
},
{
"name": "analytic21",
"type": "Microsoft.Common.Section",
"label": "User without MFA",
"elements": [
{
"name": "analytic21-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The policy detects user accounts without mutli-factor authentication"
}
}
]
}
]
},
{
"name": "huntingqueries",
"label": "Hunting Queries",
"bladeTitle": "Hunting Queries",
"elements": [
{
"name": "huntingqueries-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. "
}
},
{
"name": "huntingqueries-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/hunting"
}
}
},
{
"name": "huntingquery1",
"type": "Microsoft.Common.Section",
"label": "ateral Movement Risk - Role Chain Length",
"elements": [
{
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "detects chains of more than 3 roles in the account, this is a misconfiguration that can enable lateral movement. This hunting query depends on Authomize data connector (Authomize_v2_CL Parser or Table)"
}
}
]
},
{
"name": "huntingquery2",
"type": "Microsoft.Common.Section",
"label": "IaaS admin detected",
"elements": [
{
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "detects admin users in AWS or Azure. This hunting query depends on Authomize data connector (Authomize_v2_CL Parser or Table)"
}
}
]
},
{
"name": "huntingquery3",
"type": "Microsoft.Common.Section",
"label": "IaaS shadow admin detected",
"elements": [
{
"name": "huntingquery3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "detects shadow admin users in AWS or Azure. This hunting query depends on Authomize data connector (Authomize_v2_CL Parser or Table)"
}
}
]
},
{
"name": "huntingquery4",
"type": "Microsoft.Common.Section",
"label": "Password Exfiltration over SCIM application",
"elements": [
{
"name": "huntingquery4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "detects suspicious sync events that occurred to applications using SCIM for user provisioning. This hunting query depends on Authomize data connector (Authomize_v2_CL Parser or Table)"
}
}
]
},
{
"name": "huntingquery5",
"type": "Microsoft.Common.Section",
"label": "Privileged Machines Exposed to the Internet",
"elements": [
{
"name": "huntingquery5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "detects AWS instances which are exposed to the internet and can assume privileged roles. This is a default definition by Authomize and can be updated using the edit model. This hunting query depends on Authomize data connector (Authomize_v2_CL Parser or Table)"
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
"workspace": "[basics('workspace')]"
}
}
}

4121
Solutions/Authomize/Package/mainTemplate.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

16
Solutions/Authomize/SolutionMetadata.json Normal file
Просмотреть файл

@ -0,0 +1,16 @@
{
"publisherId": "Authomize",
"offerId": "azure-sentinel-solution-authomize",
"firstPublishDate": "2023-06-15",
"providers": ["Authomize"],
"categories": {
"domains" : ["Identity","Application","Security - Insider Threat", "Compliance"],
"verticals": ["Education","Finance","Healthcare","Manufacturing","Retail"]
},
"support": {
"name": "Authomize",
"email": "support@authomize.com",
"tier": "Partner-supported",
"link": "https://support.authomize.com"
}
}

275
Solutions/Authomize/Workbooks/Authomize.json Normal file
Просмотреть файл

@ -0,0 +1,275 @@
{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "<a href=\"https://www.authomize.com/\" target=\"_blank\">\n<img width=\"211\" src=\"https://www.authomize.com/wp-content/themes/authomize/img/automize logo_horizontal authomize logo on white.svg\"/>\n</a>\n# Authomize ITDR\n---"
},
"name": "text - 2",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union withsource=_TableName Authomize_v2_CL\n| where TimeGenerated > ago(5d)\n| summarize Count=count() by TimeGenerated\n| render barchart\n",
"size": 1,
"title": "Event Processing from Authomize tenant",
"color": "green",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"chartSettings": {
"group": "TimeGenerated",
"createOtherGroup": null
}
},
"name": "Check Events"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union withsource=_TableName Authomize_v2_CL\n| summarize Count=count() by Category",
"size": 0,
"title": "Event Category",
"timeContext": {
"durationMs": 604800000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "areachart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "Category",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "Category",
"formatter": 1
},
"centerContent": {
"columnMatch": "Count",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"mapSettings": {
"locInfo": "LatLong"
}
},
"name": "query - 7"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Events to Process",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union withsource=_TableName Authomize_v2_CL\n| summarize Count=count() by severity_s\n| render piechart",
"size": 2,
"title": "Events by Severity",
"timeContext": {
"durationMs": 2592000000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "severity_s",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"chartSettings": {
"showLegend": true,
"ySettings": {
"numberFormatSettings": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true
}
}
}
}
},
"customWidth": "50",
"name": "query - 3",
"styleSettings": {
"showBorder": true
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union withsource=_TableName Authomize_v2_CL\n| extend Policy = policy_name_s\n| extend Severity = severity_s\n| extend Description = description_s\n| extend Recommendation = recommendation_s\n| extend URL = url_s\n| extend Tactics = tactics_s\n//| where policy_name_s contains tostring(this_event)\n| project Policy, Severity, Description, Recommendation, URL, Category, Tactics",
"size": 2,
"title": "Events",
"timeContext": {
"durationMs": 259200000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "URL",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url"
}
},
{
"columnMatch": "url_s",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url"
}
}
],
"rowLimit": 1000
},
"sortBy": []
},
"customWidth": "50",
"name": "query - 6",
"styleSettings": {
"maxWidth": "50",
"showBorder": true
}
}
]
},
"name": "EventsToProcess"
},
{
"type": 1,
"content": {
"json": "# Select an Event Type"
},
"name": "text - 5"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Events Grouped",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "union withsource=_TableName Authomize_v2_CL\n| extend Event_Type = policy_name_s\n| summarize Count = count() by Event_Type",
"size": 0,
"timeContext": {
"durationMs": 604800000
},
"exportMultipleValues": true,
"exportedParameters": [
{
"fieldName": "Event_Type",
"parameterName": "theEventType"
}
],
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"customWidth": "50",
"name": "Grouped Events",
"styleSettings": {
"maxWidth": "50"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let the_Event=dynamic({theEventType});\nunion withsource=_TableName Authomize_v2_CL\n| extend Severity = severity_s\n| extend Description = description_s\n| extend Recommendation = recommendation_s\n| extend URL = url_s\n| where policy_name_s contains tostring(the_Event)\n| project Severity, Description, Recommendation, URL, Category",
"size": 0,
"timeContext": {
"durationMs": 604800000
},
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "URL",
"formatter": 7,
"formatOptions": {
"linkTarget": "Url"
}
}
]
}
},
"customWidth": "50",
"name": "query - 5",
"styleSettings": {
"maxWidth": "50"
}
}
]
},
"name": "MultiSelect",
"styleSettings": {
"showBorder": true
}
}
],
"styleSettings": {
"paddingStyle": "narrow",
"spacingStyle": "narrow"
},
"fromTemplateId": "sentinel-AuthomizeWorkbook",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}

Двоичные данные
Solutions/Authomize/Workbooks/Images/Preview/AuthomizeITDREventMonitoring-BW.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 177 KiB

Двоичные данные
Solutions/Authomize/Workbooks/Images/Preview/AuthomizeITDREventMonitoring.png Normal file
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 221 KiB

13
Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
Просмотреть файл

@ -1,4 +1,17 @@
[
{
"workbookKey": "AuthomizeWorkbook",
"logoFileName": "Authomize.svg",
"description": "Manage your Authorization Security Lifecycle across all XaaS environments and Private Clouds. Using Authomize AI-based engine continuously monitor the relationships between identities and assets and gain insight into security risks and events.",
"dataTypesDependencies": [ "Authomize_v2_CL" ],
"dataConnectorsDependencies": [ "Authomize" ],
"previewImagesFileNames": [ "AuthomizeITDREventMonitoring-BW.png", "AuthomizeITDREventMonitoring.png" ],
"version": "2.0.0",
"title": "Authomize ITDR Event Monitoring for Identities",
"templateRelativePath": "Authomize.json",
"subtitle": "",
"provider": "Authomize"
},
{
"workbookKey": "42CrunchAPIProtectionWorkbook",
"logoFileName": "42CrunchLogo.svg",

12
Workbooks/Images/Logos/authomize.svg Normal file
Просмотреть файл

@ -0,0 +1,12 @@
<svg width="703" height="777" viewBox="0 0 703 777" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M453.93 214.126H375.274C374.1 218.141 372.045 221.869 369.404 224.737L423.7 316.227C424.581 316.227 425.755 315.94 426.635 315.94C437.495 315.94 446.299 324.544 446.299 335.156C446.299 339.745 444.832 343.76 441.897 347.202L502.944 449.876C505.879 449.016 509.107 448.442 512.335 448.442C515.27 448.442 518.205 449.016 521.14 449.59L557.24 388.501L453.93 214.126Z" fill="#1BC263"/>
<path d="M357.667 29.1384L256.411 199.785H328.024C331.546 190.321 340.644 183.724 351.21 183.724C362.069 183.724 371.167 190.321 374.396 199.785H659.965L357.667 29.1384Z" fill="#1BC263"/>
<path d="M411.957 348.062L254.645 404.275C254.351 414.6 245.546 423.204 234.981 423.204C234.1 423.204 232.926 423.204 232.046 422.917L205.925 467.371C208.273 470.526 209.447 474.541 209.447 478.557C209.447 483.145 207.979 487.161 205.338 490.602L248.481 563.163H454.514L491.494 500.354C485.624 494.904 481.808 487.161 481.808 478.27C481.808 469.953 485.33 462.209 490.907 456.76L429.86 353.798C428.98 353.798 427.806 354.085 426.925 354.085C421.055 354.372 415.772 352.077 411.957 348.062Z" fill="#1BC263"/>
<path d="M327.44 214.126H247.904L144.3 388.214L186.27 458.767C187.15 458.767 187.737 458.767 188.618 458.767C190.379 458.767 192.14 459.054 193.901 459.341L219.435 416.034C216.793 412.592 215.032 408.577 215.032 403.988C215.032 393.377 223.837 384.772 234.696 384.772C235.577 384.772 236.751 384.772 237.631 385.059L332.43 224.164C330.082 221.009 328.321 217.567 327.44 214.126Z" fill="#1BC263"/>
<path d="M344.76 231.335L251.136 390.51L407.274 334.87C407.274 330.568 409.035 326.553 411.677 323.398L357.381 231.909C355.62 232.195 353.565 232.482 351.804 232.482C349.163 232.195 346.815 231.909 344.76 231.335Z" fill="#1BC263"/>
<path d="M672.87 214.126H470.653L672.87 554.846V214.126Z" fill="#1BC263"/>
<path d="M565.752 402.555L533.761 456.761C539.631 462.21 543.447 469.954 543.447 478.844C543.447 495.479 529.652 509.245 512.336 509.245C509.401 509.245 506.466 508.672 503.532 508.098L364.709 743.848L666.714 573.489L565.752 402.555Z" fill="#1BC263"/>
<path d="M338.876 32.8677L35.1108 204.088L136.072 374.161L338.876 32.8677Z" fill="#1BC263"/>
<path d="M43.6279 577.503L345.632 747.862L446.007 577.503H43.6279Z" fill="#1BC263"/>
<path d="M30.1284 223.59V563.162H231.758L193.017 498.345C191.55 498.632 190.082 498.919 188.615 498.919C177.168 498.919 168.07 489.741 168.07 478.843C168.07 473.68 170.125 468.805 173.353 465.363L30.1284 223.59Z" fill="#1BC263"/>
</svg>
Режим "рядом"

После

Ширина:  |  Высота:  |  Размер: 2.5 KiB