+
+This template allows you to deploy an Ubuntu VM with Docker (using the Docker Extension) installed. You can run docker commands by connecting to the virtual machine with SSH. [More details can be found here.](https://learn.microsoft.com/en-us/samples/azure/azure-quickstart-templates/docker-simple-on-ubuntu/)
+
+Following are the basic setup instructions to start the container:
+
+7. Copy the `````` directory to your Ubuntu VM with Docker Engine
+8. Go to the ```![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Authomize.svg\")
",
+ "Description": "The [Authomize Solution](https://authomize.com) integrates Authomize with Microsoft Sentinel to monitor and analyze security events from Authomize.",
+ "WorkbookBladeDescription": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Microsoft Sentinel and combine them into unified interactive experiences.",
+ "AnalyticalRuleBladeDescription": "This solution installs analytic rules. After installing the solution, create and enable analytic rules in Manage solution view. ",
+ "HuntingQueryBladeDescription": "This solution installs hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view",
+ "Workbooks": [
+ "Workbooks/Authomize.json"
+ ],
+ "Analytic Rules": [
+ "Analytic Rules/Access_to_AWS_without_MFA.yaml",
+ "Analytic Rules/Admin_password_wasnt_updated.yaml",
+ "Analytic Rules/Admin_SaaS_account_detected.yaml",
+ "Analytic Rules/AWS_role_with_admin_privileges.yaml",
+ "Analytic Rules/AWS_role_with_shadow_admin_privileges.yaml",
+ "Analytic Rules/Chain_of_3_or_more_roles.yaml",
+ "Analytic Rules/Detect_AWS_IAM_Users.yaml",
+ "Analytic Rules/Empty_group_with_entitlements.yaml",
+ "Analytic Rules/IaaS_admin_detected.yaml",
+ "Analytic Rules/IaaS_policy_not_attached_to_any_identity.yaml",
+ "Analytic Rules/IaaS_shadow_admin_detected.yaml",
+ "Analytic Rules/New_direct_access_policy_was_granted.yaml",
+ "Analytic Rules/New_service_account_gained_access_to_IaaS_resource.yaml",
+ "Analytic Rules/Password_Exfiltration_over_SCIM.yaml",
+ "Analytic Rules/Privileged_Machines_Exposed_to_the_Internet.yaml",
+ "Analytic Rules/Refactor_AWS_policy_based_on_activities.yaml",
+ "Analytic Rules/Stale_AWS_policy_attachment_to_identity.yaml",
+ "Analytic Rules/Stale_IAAS_policy_attachment_to_role.yaml",
+ "Analytic Rules/Unused_IaaS_Policy.yaml",
+ "Analytic Rules/User_assigned_to_a_default_admin_role.yaml",
+ "Analytic Rules/User_without_MFA.yaml"
+
+ ],
+ "Hunting Queries": [
+ "/Hunting queries/Admin_SaaS_account_detected.yaml",
+ "/Hunting queries/Chain_of_3_or_more_roles.yaml",
+ "/Hunting queries/IaaS_admin_detected.yaml",
+ "/Hunting queries/IaaS_shadow_admin_detected.yaml",
+ "/Hunting queries/Password_Exfiltration_over_SCIM_application.yaml",
+ "/Hunting queries/Privileged_Machines_Exposed_to_the_Internet.yaml"
+ ],
+ "Data Connectors": [
+ "Data Connectors/AuthomizeCustomConnector.json"
+ ],
+ "Watchlists": [],
+ "WatchlistDescription": [],
+ "BasePath": "C:/GitHub/Azure-Sentinel/Solutions/Authomize/",
+ "Version": "3.0.0",
+ "Metadata": "SolutionMetadata.json",
+ "TemplateSpec": true,
+ "Is1Pconnector": false
+ }
+
\ No newline at end of file
diff --git a/Solutions/Authomize/Hunting queries/Admin_SaaS_account_detected.yaml b/Solutions/Authomize/Hunting queries/Admin_SaaS_account_detected.yaml
new file mode 100644
index 00000000000..131e4748435
--- /dev/null
+++ b/Solutions/Authomize/Hunting queries/Admin_SaaS_account_detected.yaml
@@ -0,0 +1,24 @@
+id: b3430fb5-78aa-4729-8595-f66c06138478
+name: Admin SaaS account detected
+description: |
+ 'detects internal admins accounts, it's recommended to review any new administrative permission.'
+requiredDataConnectors:
+ - connectorId: Authomize
+ dataTypes:
+ - Authomize_v2_CL
+tactics:
+ - PrivilegeEscalation
+relevantTechniques:
+ - T1089
+query: |
+ Authomize_v2_CL
+ | extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
+ | where Policy has "Admin SaaS account detected"
+ | project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
+ | extend CloudApplication_0_Name = Policy
+entityMappings:
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: Name
+ columnName: Policy
+version: 1.0.0
\ No newline at end of file
diff --git a/Solutions/Authomize/Hunting queries/Chain_of_3_or_more_roles.yaml b/Solutions/Authomize/Hunting queries/Chain_of_3_or_more_roles.yaml
new file mode 100644
index 00000000000..ee74257c27e
--- /dev/null
+++ b/Solutions/Authomize/Hunting queries/Chain_of_3_or_more_roles.yaml
@@ -0,0 +1,24 @@
+id: bf03796a-3ed7-440f-bfc3-0c702cf762a9
+name: ateral Movement Risk - Role Chain Length
+description: |
+ 'detects chains of more than 3 roles in the account, this is a misconfiguration that can enable lateral movement.'
+requiredDataConnectors:
+ - connectorId: Authomize
+ dataTypes:
+ - Authomize_v2_CL
+tactics:
+ - PrivilegeEscalation
+relevantTechniques:
+ - T1089
+query: |
+ Authomize_v2_CL
+ | extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
+ | where Policy has "Chain of 3 or more roles"
+ | project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
+ | extend CloudApplication_0_Name = Policy
+entityMappings:
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: Name
+ columnName: Policy
+version: 1.0.0
\ No newline at end of file
diff --git a/Solutions/Authomize/Hunting queries/IaaS_admin_detected.yaml b/Solutions/Authomize/Hunting queries/IaaS_admin_detected.yaml
new file mode 100644
index 00000000000..53967279aaf
--- /dev/null
+++ b/Solutions/Authomize/Hunting queries/IaaS_admin_detected.yaml
@@ -0,0 +1,24 @@
+id: ab80b41c-23e5-4264-ac23-806aad2a57af
+name: IaaS admin detected
+description: |
+ 'detects admin users in AWS or Azure.'
+requiredDataConnectors:
+ - connectorId: Authomize
+ dataTypes:
+ - Authomize_v2_CL
+tactics:
+ - PrivilegeEscalation
+relevantTechniques:
+ - T1089
+query: |
+ Authomize_v2_CL
+ | extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
+ | where Policy has "IaaS admin detected"
+ | project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
+ | extend CloudApplication_0_Name = Policy
+entityMappings:
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: Name
+ columnName: Policy
+version: 1.0.0
\ No newline at end of file
diff --git a/Solutions/Authomize/Hunting queries/IaaS_shadow_admin_detected.yaml b/Solutions/Authomize/Hunting queries/IaaS_shadow_admin_detected.yaml
new file mode 100644
index 00000000000..6cbfe3bc125
--- /dev/null
+++ b/Solutions/Authomize/Hunting queries/IaaS_shadow_admin_detected.yaml
@@ -0,0 +1,24 @@
+id: fad675f5-b743-40c6-873d-019de93f18db
+name: IaaS shadow admin detected
+description: |
+ 'detects shadow admin users in AWS or Azure.'
+requiredDataConnectors:
+ - connectorId: Authomize
+ dataTypes:
+ - Authomize_v2_CL
+tactics:
+ - PrivilegeEscalation
+relevantTechniques:
+ - T1089
+query: |
+ Authomize_v2_CL
+ | extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
+ | where Policy has "IaaS shadow admin detected"
+ | project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
+ | extend CloudApplication_0_Name = Policy
+entityMappings:
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: Name
+ columnName: Policy
+version: 1.0.0
\ No newline at end of file
diff --git a/Solutions/Authomize/Hunting queries/Password_Exfiltration_over_SCIM_application.yaml b/Solutions/Authomize/Hunting queries/Password_Exfiltration_over_SCIM_application.yaml
new file mode 100644
index 00000000000..53e5d686d87
--- /dev/null
+++ b/Solutions/Authomize/Hunting queries/Password_Exfiltration_over_SCIM_application.yaml
@@ -0,0 +1,28 @@
+id: 485e7cab-131e-40ce-9482-791e681b7967
+name: Password Exfiltration over SCIM application
+description: |
+ 'detects suspicious sync events that occurred to applications using SCIM for user provisioning.'
+requiredDataConnectors:
+ - connectorId: Authomize
+ dataTypes:
+ - Authomize_v2_CL
+tactics:
+ - CredentialAccess
+relevantTechniques:
+ - T1555
+ - T1040
+ - T1552
+ - T1555.003
+ - T1552.005
+query: |
+ Authomize_v2_CL
+ | extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
+ | where Policy has "Password Exfiltration over SCIM"
+ | project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
+ | extend CloudApplication_0_Name = Policy
+entityMappings:
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: Name
+ columnName: Policy
+version: 1.0.0
\ No newline at end of file
diff --git a/Solutions/Authomize/Hunting queries/Privileged_Machines_Exposed_to_the_Internet.yaml b/Solutions/Authomize/Hunting queries/Privileged_Machines_Exposed_to_the_Internet.yaml
new file mode 100644
index 00000000000..b2aac2124d4
--- /dev/null
+++ b/Solutions/Authomize/Hunting queries/Privileged_Machines_Exposed_to_the_Internet.yaml
@@ -0,0 +1,24 @@
+id: 7457a420-8c28-4ce2-a55e-d050e5a6bc4f
+name: Privileged Machines Exposed to the Internet
+description: |
+ 'detects AWS instances which are exposed to the internet and can assume privileged roles. This is a default definition by Authomize and can be updated using the edit model.'
+requiredDataConnectors:
+ - connectorId: Authomize
+ dataTypes:
+ - Authomize_v2_CL
+tactics:
+ - Discovery
+relevantTechniques:
+ - T1613
+query: |
+ Authomize_v2_CL
+ | extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
+ | where Policy has "Privileged Machines Exposed to the Internet"
+ | project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
+ | extend CloudApplication_0_Name = Policy
+entityMappings:
+ - entityType: CloudApplication
+ fieldMappings:
+ - identifier: Name
+ columnName: Policy
+version: 1.0.0
\ No newline at end of file
diff --git a/Solutions/Authomize/Package/3.0.0.zip b/Solutions/Authomize/Package/3.0.0.zip
new file mode 100644
index 00000000000..00d6fbe8843
Binary files /dev/null and b/Solutions/Authomize/Package/3.0.0.zip differ
diff --git a/Solutions/Authomize/Package/createUiDefinition.json b/Solutions/Authomize/Package/createUiDefinition.json
new file mode 100644
index 00000000000..fc56e7ff42e
--- /dev/null
+++ b/Solutions/Authomize/Package/createUiDefinition.json
@@ -0,0 +1,557 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "config": {
+ "isWizard": false,
+ "basics": {
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Authomize/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Authomize Solution](https://authomize.com) integrates Authomize with Microsoft Sentinel to monitor and analyze security events from Authomize.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 21, **Hunting Queries:** 6\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "subscription": {
+ "resourceProviders": [
+ "Microsoft.OperationsManagement/solutions",
+ "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "Microsoft.Insights/workbooks",
+ "Microsoft.Logic/workflows"
+ ]
+ },
+ "location": {
+ "metadata": {
+ "hidden": "Hiding location, we get it from the log analytics workspace"
+ },
+ "visible": false
+ },
+ "resourceGroup": {
+ "allowExisting": true
+ }
+ }
+ },
+ "basics": [
+ {
+ "name": "getLAWorkspace",
+ "type": "Microsoft.Solutions.ArmApiControl",
+ "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+ "condition": "[greater(length(resourceGroup().name),0)]",
+ "request": {
+ "method": "GET",
+ "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+ }
+ },
+ {
+ "name": "workspace",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Workspace",
+ "placeholder": "Select a workspace",
+ "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+ "constraints": {
+ "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+ "required": true
+ },
+ "visible": true
+ }
+ ],
+ "steps": [
+ {
+ "name": "dataconnectors",
+ "label": "Data Connectors",
+ "bladeTitle": "Data Connectors",
+ "elements": [
+ {
+ "name": "dataconnectors1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Solution installs the data connector for Authomize. You can get Authomize custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ }
+ },
+ {
+ "name": "dataconnectors-link2",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more about connecting data sources",
+ "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
+ }
+ }
+ }
+ ]
+ },
+ {
+ "name": "workbooks",
+ "label": "Workbooks",
+ "subLabel": {
+ "preValidation": "Configure the workbooks",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Workbooks",
+ "elements": [
+ {
+ "name": "workbooks-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Microsoft Sentinel and combine them into unified interactive experiences."
+ }
+ },
+ {
+ "name": "workbooks-link",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
+ }
+ }
+ },
+ {
+ "name": "workbook1",
+ "type": "Microsoft.Common.Section",
+ "label": "Authomize ITDR Event Monitoring for Identities",
+ "elements": [
+ {
+ "name": "workbook1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Manage your Authorization Security Lifecycle across all XaaS environments and Private Clouds. Using Authomize AI-based engine continuously monitor the relationships between identities and assets and gain insight into security risks and events."
+ }
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "name": "analytics",
+ "label": "Analytics",
+ "subLabel": {
+ "preValidation": "Configure the analytics",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Analytics",
+ "elements": [
+ {
+ "name": "analytics-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This solution installs analytic rules. After installing the solution, create and enable analytic rules in Manage solution view. "
+ }
+ },
+ {
+ "name": "analytics-link",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+ }
+ }
+ },
+ {
+ "name": "analytic1",
+ "type": "Microsoft.Common.Section",
+ "label": "Access to AWS without MFA",
+ "elements": [
+ {
+ "name": "analytic1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This detects users with access to AWS (IAM or Federated via Okta) without enabled MFA. This is a default definition by Authomize and can be updated using the edit modal."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic2",
+ "type": "Microsoft.Common.Section",
+ "label": "Admin password not updated in 30 days",
+ "elements": [
+ {
+ "name": "analytic2-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "The policy detects an administrative account where the password of the account was not updated in the last 30 days."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic3",
+ "type": "Microsoft.Common.Section",
+ "label": "Admin SaaS account detected",
+ "elements": [
+ {
+ "name": "analytic3-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "The rule detects internal admins accounts, it's recommended to review any new administrative permission."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic4",
+ "type": "Microsoft.Common.Section",
+ "label": "AWS role with admin privileges",
+ "elements": [
+ {
+ "name": "analytic4-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "The policy detects the creation of new AWS roles with administrative privileges. The policy configuration allows limiting the policy to specific accounts."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic5",
+ "type": "Microsoft.Common.Section",
+ "label": "AWS role with shadow admin privileges",
+ "elements": [
+ {
+ "name": "analytic5-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "The policy detect the creation of new AWS roles with shadow admin privileges. The policy configuration allows limiting the policy to specific accounts."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic6",
+ "type": "Microsoft.Common.Section",
+ "label": "Lateral Movement Risk - Role Chain Length",
+ "elements": [
+ {
+ "name": "analytic6-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "The policy detects chains of more than 3 roles in the account, this is a misconfiguration that can enable lateral movement."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic7",
+ "type": "Microsoft.Common.Section",
+ "label": "Detect AWS IAM Users",
+ "elements": [
+ {
+ "name": "analytic7-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "The policy detects IAM users across your AWS accounts, a practice that should be kept only for a small number of accounts. This is a default definition by Authomize and can be updated using the edit modal."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic8",
+ "type": "Microsoft.Common.Section",
+ "label": "Empty group with entitlements",
+ "elements": [
+ {
+ "name": "analytic8-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "The rule detects empty groups with entitlements."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic9",
+ "type": "Microsoft.Common.Section",
+ "label": "IaaS admin detected",
+ "elements": [
+ {
+ "name": "analytic9-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "The policy detects admin users in AWS or Azure."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic10",
+ "type": "Microsoft.Common.Section",
+ "label": "IaaS policy not attached to any identity",
+ "elements": [
+ {
+ "name": "analytic10-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "The rule detects AWS policies that are not attached to any identities, meaning they can be deleted."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic11",
+ "type": "Microsoft.Common.Section",
+ "label": "IaaS shadow admin detected",
+ "elements": [
+ {
+ "name": "analytic11-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "The policy detects shadow admin users in AWS or Azure."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic12",
+ "type": "Microsoft.Common.Section",
+ "label": "New direct access policy was granted against organizational policy",
+ "elements": [
+ {
+ "name": "analytic12-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic13",
+ "type": "Microsoft.Common.Section",
+ "label": "New service account gained access to IaaS resource",
+ "elements": [
+ {
+ "name": "analytic13-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This policy detects when an application or service account gained new access to your assets. This policy is defined by Authomize and can be edited to change the configuration."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic14",
+ "type": "Microsoft.Common.Section",
+ "label": "Password Exfiltration over SCIM application",
+ "elements": [
+ {
+ "name": "analytic14-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This rule detects suspicious sync events that occurred to applications using SCIM for user provisioning."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic15",
+ "type": "Microsoft.Common.Section",
+ "label": "Privileged Machines Exposed to the Internet",
+ "elements": [
+ {
+ "name": "analytic15-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "These are AWS Ec2 machines that are exposed to the internet. You can further filter by tags so that you can, for example, find exposed machines that are also \"privileged\"."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic16",
+ "type": "Microsoft.Common.Section",
+ "label": "Refactor AWS policy based on activities in the last 60 days",
+ "elements": [
+ {
+ "name": "analytic16-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This is a recommended update to IAM policy on AWS. Review the policy and apply it according to change control process. Authomize will have a recommended policy to be downloaded."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic17",
+ "type": "Microsoft.Common.Section",
+ "label": "Stale AWS policy attachment to identity",
+ "elements": [
+ {
+ "name": "analytic17-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "The policy detects 'AWS policies' attached to IAM users or roles that have not used it during the last X days. It is recommended to remove unused policies from identities to reduce risk."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic18",
+ "type": "Microsoft.Common.Section",
+ "label": "Stale IAAS policy attachment to role",
+ "elements": [
+ {
+ "name": "analytic18-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "The rule detects 'IaaS policies' attached to a role that has not used them during the past X days. It is recommended to remove unused policies from identities to reduce risk."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic19",
+ "type": "Microsoft.Common.Section",
+ "label": "Unused IaaS Policy",
+ "elements": [
+ {
+ "name": "analytic19-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "The policy detects 'IaaS policies' that no one in the account has been using during the last X days."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic20",
+ "type": "Microsoft.Common.Section",
+ "label": "User assigned to a default admin role",
+ "elements": [
+ {
+ "name": "analytic20-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "The policy detects users that were assigned to one of the systems default admin roles."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic21",
+ "type": "Microsoft.Common.Section",
+ "label": "User without MFA",
+ "elements": [
+ {
+ "name": "analytic21-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "The policy detects user accounts without mutli-factor authentication"
+ }
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "name": "huntingqueries",
+ "label": "Hunting Queries",
+ "bladeTitle": "Hunting Queries",
+ "elements": [
+ {
+ "name": "huntingqueries-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This solution installs hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view"
+ }
+ },
+ {
+ "name": "huntingqueries-link",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://docs.microsoft.com/azure/sentinel/hunting"
+ }
+ }
+ },
+ {
+ "name": "huntingquery1",
+ "type": "Microsoft.Common.Section",
+ "label": "Admin SaaS account detected",
+ "elements": [
+ {
+ "name": "huntingquery1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "detects internal admins accounts, it's recommended to review any new administrative permission. This hunting query depends on Authomize data connector (Authomize_v2_CL Parser or Table)"
+ }
+ }
+ ]
+ },
+ {
+ "name": "huntingquery2",
+ "type": "Microsoft.Common.Section",
+ "label": "ateral Movement Risk - Role Chain Length",
+ "elements": [
+ {
+ "name": "huntingquery2-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "detects chains of more than 3 roles in the account, this is a misconfiguration that can enable lateral movement. This hunting query depends on Authomize data connector (Authomize_v2_CL Parser or Table)"
+ }
+ }
+ ]
+ },
+ {
+ "name": "huntingquery3",
+ "type": "Microsoft.Common.Section",
+ "label": "IaaS admin detected",
+ "elements": [
+ {
+ "name": "huntingquery3-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "detects admin users in AWS or Azure. This hunting query depends on Authomize data connector (Authomize_v2_CL Parser or Table)"
+ }
+ }
+ ]
+ },
+ {
+ "name": "huntingquery4",
+ "type": "Microsoft.Common.Section",
+ "label": "IaaS shadow admin detected",
+ "elements": [
+ {
+ "name": "huntingquery4-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "detects shadow admin users in AWS or Azure. This hunting query depends on Authomize data connector (Authomize_v2_CL Parser or Table)"
+ }
+ }
+ ]
+ },
+ {
+ "name": "huntingquery5",
+ "type": "Microsoft.Common.Section",
+ "label": "Password Exfiltration over SCIM application",
+ "elements": [
+ {
+ "name": "huntingquery5-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "detects suspicious sync events that occurred to applications using SCIM for user provisioning. This hunting query depends on Authomize data connector (Authomize_v2_CL Parser or Table)"
+ }
+ }
+ ]
+ },
+ {
+ "name": "huntingquery6",
+ "type": "Microsoft.Common.Section",
+ "label": "Privileged Machines Exposed to the Internet",
+ "elements": [
+ {
+ "name": "huntingquery6-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "detects AWS instances which are exposed to the internet and can assume privileged roles. This is a default definition by Authomize and can be updated using the edit model. This hunting query depends on Authomize data connector (Authomize_v2_CL Parser or Table)"
+ }
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "outputs": {
+ "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+ "location": "[location()]",
+ "workspace": "[basics('workspace')]"
+ }
+ }
+}
diff --git a/Solutions/Authomize/Package/mainTemplate.json b/Solutions/Authomize/Package/mainTemplate.json
new file mode 100644
index 00000000000..09bb7a9a0ac
--- /dev/null
+++ b/Solutions/Authomize/Package/mainTemplate.json
@@ -0,0 +1,3979 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "author": "Authomize - support@authomize.com",
+ "comments": "Solution template for Authomize"
+ },
+ "parameters": {
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ },
+ "workbook1-name": {
+ "type": "string",
+ "defaultValue": "Authomize ITDR Event Monitoring for Identities",
+ "minLength": 1,
+ "metadata": {
+ "description": "Name for the workbook"
+ }
+ }
+ },
+ "variables": {
+ "email": "support@authomize.com",
+ "_email": "[variables('email')]",
+ "_solutionName": "Authomize",
+ "_solutionVersion": "3.0.0",
+ "solutionId": "authomize.azure-sentinel-solution-authomize",
+ "_solutionId": "[variables('solutionId')]",
+ "AuthomizeEventID": "EventID",
+ "_AuthomizeEventID": "[variables('AuthomizeEventID')]",
+ "TemplateEmptyArray": "[json('[]')]",
+ "workbookVersion1": "1.0.0",
+ "workbookContentId1": "AuthomizeWorkbook",
+ "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
+ "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
+ "_workbookContentId1": "[variables('workbookContentId1')]",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
+ "analyticRuleVersion1": "1.0.1",
+ "analyticRulecontentId1": "48a9478b-440a-4330-b42c-94bd84dc904c",
+ "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
+ "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
+ "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]",
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]",
+ "analyticRuleVersion2": "1.0.1",
+ "analyticRulecontentId2": "63d87fcb-d197-48d2-a642-de4813f0219a",
+ "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
+ "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
+ "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]",
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]",
+ "analyticRuleVersion3": "1.0.1",
+ "analyticRulecontentId3": "87419138-d75f-450d-aca4-1dc802e32540",
+ "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]",
+ "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]",
+ "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]",
+ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]",
+ "analyticRuleVersion4": "1.0.1",
+ "analyticRulecontentId4": "734c00a0-a95b-44dd-9b69-d926ed44256d",
+ "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]",
+ "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]",
+ "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]",
+ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]",
+ "analyticRuleVersion5": "1.0.1",
+ "analyticRulecontentId5": "2526079b-3355-4756-a2d1-21e9cd957261",
+ "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]",
+ "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]",
+ "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))))]",
+ "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]",
+ "analyticRuleVersion6": "1.0.1",
+ "analyticRulecontentId6": "25bef734-4399-4c55-9579-4ebabd9cccf6",
+ "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]",
+ "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]",
+ "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))))]",
+ "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]",
+ "analyticRuleVersion7": "1.0.1",
+ "analyticRulecontentId7": "077eb06a-c011-47f7-8d92-dfc2b1e1d71b",
+ "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]",
+ "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]",
+ "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7'))))]",
+ "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId7'),'-', variables('analyticRuleVersion7'))))]",
+ "analyticRuleVersion8": "1.0.1",
+ "analyticRulecontentId8": "c4d442a8-8227-4735-ac13-d84704e1b371",
+ "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]",
+ "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]",
+ "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8'))))]",
+ "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId8'),'-', variables('analyticRuleVersion8'))))]",
+ "analyticRuleVersion9": "1.0.1",
+ "analyticRulecontentId9": "dc728ba1-5204-4fde-ab48-eda19c8fad3a",
+ "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]",
+ "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]",
+ "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9'))))]",
+ "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId9'),'-', variables('analyticRuleVersion9'))))]",
+ "analyticRuleVersion10": "1.0.1",
+ "analyticRulecontentId10": "57bae0c4-50b7-4552-9de9-19dfecddbace",
+ "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]",
+ "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]",
+ "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10'))))]",
+ "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId10'),'-', variables('analyticRuleVersion10'))))]",
+ "analyticRuleVersion11": "1.0.1",
+ "analyticRulecontentId11": "31f43e9d-1839-4baf-a668-54c28b98af3e",
+ "_analyticRulecontentId11": "[variables('analyticRulecontentId11')]",
+ "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId11'))]",
+ "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId11'))))]",
+ "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId11'),'-', variables('analyticRuleVersion11'))))]",
+ "analyticRuleVersion12": "1.0.1",
+ "analyticRulecontentId12": "d7ee7bb5-d712-4d44-b201-b13379924934",
+ "_analyticRulecontentId12": "[variables('analyticRulecontentId12')]",
+ "analyticRuleId12": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId12'))]",
+ "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId12'))))]",
+ "_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId12'),'-', variables('analyticRuleVersion12'))))]",
+ "analyticRuleVersion13": "1.0.1",
+ "analyticRulecontentId13": "6c17f270-cd56-48cc-9196-1728ffea6538",
+ "_analyticRulecontentId13": "[variables('analyticRulecontentId13')]",
+ "analyticRuleId13": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId13'))]",
+ "analyticRuleTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId13'))))]",
+ "_analyticRulecontentProductId13": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId13'),'-', variables('analyticRuleVersion13'))))]",
+ "analyticRuleVersion14": "1.0.1",
+ "analyticRulecontentId14": "2e3c4ad5-8cb3-4b46-88ff-a88367ee7eaa",
+ "_analyticRulecontentId14": "[variables('analyticRulecontentId14')]",
+ "analyticRuleId14": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId14'))]",
+ "analyticRuleTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId14'))))]",
+ "_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId14'),'-', variables('analyticRuleVersion14'))))]",
+ "analyticRuleVersion15": "1.0.1",
+ "analyticRulecontentId15": "72891de4-da70-44e4-9984-35fcea98d000",
+ "_analyticRulecontentId15": "[variables('analyticRulecontentId15')]",
+ "analyticRuleId15": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId15'))]",
+ "analyticRuleTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId15'))))]",
+ "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId15'),'-', variables('analyticRuleVersion15'))))]",
+ "analyticRuleVersion16": "1.0.1",
+ "analyticRulecontentId16": "642de064-c67b-4eb7-98bd-3f8cd51f282c",
+ "_analyticRulecontentId16": "[variables('analyticRulecontentId16')]",
+ "analyticRuleId16": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId16'))]",
+ "analyticRuleTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId16'))))]",
+ "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId16'),'-', variables('analyticRuleVersion16'))))]",
+ "analyticRuleVersion17": "1.0.1",
+ "analyticRulecontentId17": "766a3b1b-0d5b-4a8d-b0d6-7dd379e73567",
+ "_analyticRulecontentId17": "[variables('analyticRulecontentId17')]",
+ "analyticRuleId17": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId17'))]",
+ "analyticRuleTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId17'))))]",
+ "_analyticRulecontentProductId17": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId17'),'-', variables('analyticRuleVersion17'))))]",
+ "analyticRuleVersion18": "1.0.1",
+ "analyticRulecontentId18": "ccdf3f87-7890-4549-9d0f-8f43c1d2751d",
+ "_analyticRulecontentId18": "[variables('analyticRulecontentId18')]",
+ "analyticRuleId18": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId18'))]",
+ "analyticRuleTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId18'))))]",
+ "_analyticRulecontentProductId18": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId18'),'-', variables('analyticRuleVersion18'))))]",
+ "analyticRuleVersion19": "1.0.1",
+ "analyticRulecontentId19": "e0ae5f9e-865b-41f5-98bb-c04113888e85",
+ "_analyticRulecontentId19": "[variables('analyticRulecontentId19')]",
+ "analyticRuleId19": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId19'))]",
+ "analyticRuleTemplateSpecName19": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId19'))))]",
+ "_analyticRulecontentProductId19": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId19'),'-', variables('analyticRuleVersion19'))))]",
+ "analyticRuleVersion20": "1.0.1",
+ "analyticRulecontentId20": "c04ed74c-3b23-48cd-9c11-fd10cffddc64",
+ "_analyticRulecontentId20": "[variables('analyticRulecontentId20')]",
+ "analyticRuleId20": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId20'))]",
+ "analyticRuleTemplateSpecName20": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId20'))))]",
+ "_analyticRulecontentProductId20": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId20'),'-', variables('analyticRuleVersion20'))))]",
+ "analyticRuleVersion21": "1.0.1",
+ "analyticRulecontentId21": "71a7b0de-f13d-44b9-9caa-668f1bad0ce6",
+ "_analyticRulecontentId21": "[variables('analyticRulecontentId21')]",
+ "analyticRuleId21": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId21'))]",
+ "analyticRuleTemplateSpecName21": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId21'))))]",
+ "_analyticRulecontentProductId21": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId21'),'-', variables('analyticRuleVersion21'))))]",
+ "huntingQueryVersion1": "1.0.0",
+ "huntingQuerycontentId1": "b3430fb5-78aa-4729-8595-f66c06138478",
+ "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]",
+ "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]",
+ "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))))]",
+ "_huntingQuerycontentProductId1": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId1'),'-', variables('huntingQueryVersion1'))))]",
+ "huntingQueryVersion2": "1.0.0",
+ "huntingQuerycontentId2": "bf03796a-3ed7-440f-bfc3-0c702cf762a9",
+ "_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]",
+ "huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]",
+ "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2'))))]",
+ "_huntingQuerycontentProductId2": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId2'),'-', variables('huntingQueryVersion2'))))]",
+ "huntingQueryVersion3": "1.0.0",
+ "huntingQuerycontentId3": "ab80b41c-23e5-4264-ac23-806aad2a57af",
+ "_huntingQuerycontentId3": "[variables('huntingQuerycontentId3')]",
+ "huntingQueryId3": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId3'))]",
+ "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3'))))]",
+ "_huntingQuerycontentProductId3": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId3'),'-', variables('huntingQueryVersion3'))))]",
+ "huntingQueryVersion4": "1.0.0",
+ "huntingQuerycontentId4": "fad675f5-b743-40c6-873d-019de93f18db",
+ "_huntingQuerycontentId4": "[variables('huntingQuerycontentId4')]",
+ "huntingQueryId4": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId4'))]",
+ "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4'))))]",
+ "_huntingQuerycontentProductId4": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId4'),'-', variables('huntingQueryVersion4'))))]",
+ "huntingQueryVersion5": "1.0.0",
+ "huntingQuerycontentId5": "485e7cab-131e-40ce-9482-791e681b7967",
+ "_huntingQuerycontentId5": "[variables('huntingQuerycontentId5')]",
+ "huntingQueryId5": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId5'))]",
+ "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5'))))]",
+ "_huntingQuerycontentProductId5": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId5'),'-', variables('huntingQueryVersion5'))))]",
+ "huntingQueryVersion6": "1.0.0",
+ "huntingQuerycontentId6": "7457a420-8c28-4ce2-a55e-d050e5a6bc4f",
+ "_huntingQuerycontentId6": "[variables('huntingQuerycontentId6')]",
+ "huntingQueryId6": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId6'))]",
+ "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6'))))]",
+ "_huntingQuerycontentProductId6": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId6'),'-', variables('huntingQueryVersion6'))))]",
+ "uiConfigId1": "Authomize",
+ "_uiConfigId1": "[variables('uiConfigId1')]",
+ "dataConnectorContentId1": "Authomize",
+ "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
+ "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "_dataConnectorId1": "[variables('dataConnectorId1')]",
+ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
+ "dataConnectorVersion1": "1.0.0",
+ "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('workbookTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "AuthomizeWorkbook Workbook with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('workbookVersion1')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.Insights/workbooks",
+ "name": "[variables('workbookContentId1')]",
+ "location": "[parameters('workspace-location')]",
+ "kind": "shared",
+ "apiVersion": "2021-08-01",
+ "metadata": {
+ "description": "Manage your Authorization Security Lifecycle across all XaaS environments and Private Clouds. Using Authomize AI-based engine continuously monitor the relationships between identities and assets and gain insight into security risks and events."
+ },
+ "properties": {
+ "displayName": "[parameters('workbook1-name')]",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n![](\\\"https://www.authomize.com/wp-content/themes/authomize/img/automize%20logo_horizontal%20authomize%20logo%20on%20white.svg\\\"/)
\\n\\n# Authomize ITDR\\n---\"},\"name\":\"text - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union withsource=_TableName Authomize_v2_CL\\n| where TimeGenerated > ago(5d)\\n| summarize Count=count() by TimeGenerated\\n| render barchart\\n\",\"size\":1,\"title\":\"Event Processing from Authomize tenant\",\"color\":\"green\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"chartSettings\":{\"group\":\"TimeGenerated\"}},\"name\":\"Check Events\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union withsource=_TableName Authomize_v2_CL\\n| summarize Count=count() by Category\",\"size\":0,\"title\":\"Event Category\",\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Category\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Category\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"mapSettings\":{\"locInfo\":\"LatLong\"}},\"name\":\"query - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Events to Process\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union withsource=_TableName Authomize_v2_CL\\n| summarize Count=count() by severity_s\\n| render piechart\",\"size\":2,\"title\":\"Events by Severity\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"severity_s\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union withsource=_TableName Authomize_v2_CL\\n| extend Policy = policy_name_s\\n| extend Severity = severity_s\\n| extend Description = description_s\\n| extend Recommendation = recommendation_s\\n| extend URL = url_s\\n| extend Tactics = tactics_s\\n//| where policy_name_s contains tostring(this_event)\\n| project Policy, Severity, Description, Recommendation, URL, Category, Tactics\",\"size\":2,\"title\":\"Events\",\"timeContext\":{\"durationMs\":259200000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"url_s\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"rowLimit\":1000}},\"customWidth\":\"50\",\"name\":\"query - 6\",\"styleSettings\":{\"maxWidth\":\"50\",\"showBorder\":true}}]},\"name\":\"EventsToProcess\"},{\"type\":1,\"content\":{\"json\":\"# Select an Event Type\"},\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Events Grouped\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union withsource=_TableName Authomize_v2_CL\\n| extend Event_Type = policy_name_s\\n| summarize Count = count() by Event_Type\",\"size\":0,\"timeContext\":{\"durationMs\":604800000},\"exportMultipleValues\":true,\"exportedParameters\":[{\"fieldName\":\"Event_Type\",\"parameterName\":\"theEventType\"}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"Grouped Events\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let the_Event=dynamic({theEventType});\\nunion withsource=_TableName Authomize_v2_CL\\n| extend Severity = severity_s\\n| extend Description = description_s\\n| extend Recommendation = recommendation_s\\n| extend URL = url_s\\n| where policy_name_s contains tostring(the_Event)\\n| project Severity, Description, Recommendation, URL, Category\",\"size\":0,\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 5\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"name\":\"MultiSelect\",\"styleSettings\":{\"showBorder\":true}}],\"styleSettings\":{\"paddingStyle\":\"narrow\",\"spacingStyle\":\"narrow\"},\"fromTemplateId\":\"sentinel-AuthomizeWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+ "version": "1.0",
+ "sourceId": "[variables('workspaceResourceId')]",
+ "category": "sentinel"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
+ "properties": {
+ "description": "@{workbookKey=AuthomizeWorkbook; logoFileName=Authomize.svg; description=Manage your Authorization Security Lifecycle across all XaaS environments and Private Clouds. Using Authomize AI-based engine continuously monitor the relationships between identities and assets and gain insight into security risks and events.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Authomize ITDR Event Monitoring for Identities; templateRelativePath=Authomize.json; subtitle=; provider=Authomize}.description",
+ "parentId": "[variables('workbookId1')]",
+ "contentId": "[variables('_workbookContentId1')]",
+ "kind": "Workbook",
+ "version": "[variables('workbookVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Authomize",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Authomize",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Authomize",
+ "email": "support@authomize.com",
+ "tier": "Partner",
+ "link": "https://support.authomize.com"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "contentId": "Authomize_v2_CL",
+ "kind": "DataType"
+ },
+ {
+ "contentId": "Authomize",
+ "kind": "DataConnector"
+ }
+ ]
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_workbookContentId1')]",
+ "contentKind": "Workbook",
+ "displayName": "[parameters('workbook1-name')]",
+ "contentProductId": "[variables('_workbookcontentProductId1')]",
+ "id": "[variables('_workbookcontentProductId1')]",
+ "version": "[variables('workbookVersion1')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Access_to_AWS_without_MFA_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion1')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId1')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "This detects users with access to AWS (IAM or Federated via Okta) without enabled MFA. This is a default definition by Authomize and can be updated using the edit modal.",
+ "displayName": "Access to AWS without MFA",
+ "enabled": false,
+ "query": "Authomize_v2_CL\n| where ingestion_time() >= ago(30m)\n| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s\n| where Policy has \"Access to AWS without MFA\"\n| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics",
+ "queryFrequency": "PT30M",
+ "queryPeriod": "PT30M",
+ "severity": "Medium",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "Authomize_v2_CL"
+ ],
+ "connectorId": "Authomize"
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": [
+ "T1078"
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "customDetails": {
+ "EventRecommendation": "Recommendation",
+ "AuthomizeEventID": "[variables('_AuthomizeEventID')]",
+ "EventDescription": "Description",
+ "EventName": "Policy",
+ "ReferencedURL": "URL"
+ },
+ "alertDetailsOverride": {
+ "alertDescriptionFormat": "Refactor AWS policy based on activities in the last 60 days. This is a recommended update to IAM policy on AWS. Review the policy and apply it according to change control process. Authomize will have a recommended policy to be downloaded. See the URL for further details within the event details in your Authomize Tenant. \n",
+ "alertDynamicProperties": [
+ {
+ "value": "URL",
+ "alertProperty": "AlertLink"
+ }
+ ],
+ "alertSeverity": "Severity",
+ "alertnameFormat": "Alert from Authomize - Access to AWS without MFA",
+ "alertTactics": "Tactics"
+ },
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "lookbackDuration": "5h",
+ "enabled": true,
+ "matchingMethod": "AnyAlert",
+ "groupByCustomDetails": "[variables('TemplateEmptyArray')]",
+ "reopenClosedIncident": false,
+ "groupByAlertDetails": "[variables('TemplateEmptyArray')]",
+ "groupByEntities": "[variables('TemplateEmptyArray')]"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]",
+ "properties": {
+ "description": "Authomize Analytics Rule 1",
+ "parentId": "[variables('analyticRuleId1')]",
+ "contentId": "[variables('_analyticRulecontentId1')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Authomize",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Authomize",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Authomize",
+ "email": "support@authomize.com",
+ "tier": "Partner",
+ "link": "https://support.authomize.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId1')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Access to AWS without MFA",
+ "contentProductId": "[variables('_analyticRulecontentProductId1')]",
+ "id": "[variables('_analyticRulecontentProductId1')]",
+ "version": "[variables('analyticRuleVersion1')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName2')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Admin_password_wasnt_updated_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion2')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId2')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "The policy detects an administrative account where the password of the account was not updated in the last 30 days.",
+ "displayName": "Admin password not updated in 30 days",
+ "enabled": false,
+ "query": "Authomize_v2_CL\n| where ingestion_time() >= ago(30m)\n| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s\n| where Policy has \"Admin password wasn't updated during the last 30 days\"\n| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics",
+ "queryFrequency": "PT30M",
+ "queryPeriod": "PT30M",
+ "severity": "Medium",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "Authomize_v2_CL"
+ ],
+ "connectorId": "Authomize"
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": [
+ "T1078"
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "customDetails": {
+ "EventRecommendation": "Recommendation",
+ "AuthomizeEventID": "[variables('_AuthomizeEventID')]",
+ "EventDescription": "Description",
+ "EventName": "Policy",
+ "ReferencedURL": "URL"
+ },
+ "alertDetailsOverride": {
+ "alertDescriptionFormat": "Admin password wasn't updated during the last 30 days. The policy detects admin account where password wasn't updated during the last 30 days.\n",
+ "alertDynamicProperties": [
+ {
+ "value": "URL",
+ "alertProperty": "AlertLink"
+ }
+ ],
+ "alertSeverity": "Severity",
+ "alertnameFormat": "Alert from Authomize - Admin password wasn't updated during the last 30 days",
+ "alertTactics": "Tactics"
+ },
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "lookbackDuration": "5h",
+ "enabled": true,
+ "matchingMethod": "AnyAlert",
+ "groupByCustomDetails": "[variables('TemplateEmptyArray')]",
+ "reopenClosedIncident": false,
+ "groupByAlertDetails": "[variables('TemplateEmptyArray')]",
+ "groupByEntities": "[variables('TemplateEmptyArray')]"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]",
+ "properties": {
+ "description": "Authomize Analytics Rule 2",
+ "parentId": "[variables('analyticRuleId2')]",
+ "contentId": "[variables('_analyticRulecontentId2')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion2')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Authomize",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Authomize",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Authomize",
+ "email": "support@authomize.com",
+ "tier": "Partner",
+ "link": "https://support.authomize.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId2')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Admin password not updated in 30 days",
+ "contentProductId": "[variables('_analyticRulecontentProductId2')]",
+ "id": "[variables('_analyticRulecontentProductId2')]",
+ "version": "[variables('analyticRuleVersion2')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName3')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Admin_SaaS_account_detected_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion3')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId3')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "The rule detects internal admins accounts, it's recommended to review any new administrative permission.",
+ "displayName": "Admin SaaS account detected",
+ "enabled": false,
+ "query": "Authomize_v2_CL\n| where ingestion_time() >= ago(30m)\n| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s\n| where Policy has \"Admin SaaS account detected\"\n| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics",
+ "queryFrequency": "PT30M",
+ "queryPeriod": "PT30M",
+ "severity": "Low",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "Authomize_v2_CL"
+ ],
+ "connectorId": "Authomize"
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "PrivilegeEscalation"
+ ],
+ "techniques": [
+ "T1078",
+ "T1078"
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "customDetails": {
+ "EventRecommendation": "Recommendation",
+ "AuthomizeEventID": "[variables('_AuthomizeEventID')]",
+ "EventDescription": "Description",
+ "EventName": "Policy",
+ "ReferencedURL": "URL"
+ },
+ "alertDetailsOverride": {
+ "alertDescriptionFormat": "Admin SaaS account detected. The policy detects internal admins accounts, it's recommended to review any new administrative permission.",
+ "alertDynamicProperties": [
+ {
+ "value": "URL",
+ "alertProperty": "AlertLink"
+ }
+ ],
+ "alertSeverity": "Severity",
+ "alertnameFormat": "Alert from Authomize - Admin SaaS account detected",
+ "alertTactics": "Tactics"
+ },
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "lookbackDuration": "5h",
+ "enabled": true,
+ "matchingMethod": "AnyAlert",
+ "groupByCustomDetails": "[variables('TemplateEmptyArray')]",
+ "reopenClosedIncident": false,
+ "groupByAlertDetails": "[variables('TemplateEmptyArray')]",
+ "groupByEntities": "[variables('TemplateEmptyArray')]"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]",
+ "properties": {
+ "description": "Authomize Analytics Rule 3",
+ "parentId": "[variables('analyticRuleId3')]",
+ "contentId": "[variables('_analyticRulecontentId3')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion3')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Authomize",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Authomize",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Authomize",
+ "email": "support@authomize.com",
+ "tier": "Partner",
+ "link": "https://support.authomize.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId3')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Admin SaaS account detected",
+ "contentProductId": "[variables('_analyticRulecontentProductId3')]",
+ "id": "[variables('_analyticRulecontentProductId3')]",
+ "version": "[variables('analyticRuleVersion3')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName4')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "AWS_role_with_admin_privileges_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion4')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId4')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "The policy detects the creation of new AWS roles with administrative privileges. The policy configuration allows limiting the policy to specific accounts.",
+ "displayName": "AWS role with admin privileges",
+ "enabled": false,
+ "query": "Authomize_v2_CL\n| where ingestion_time() >= ago(30m)\n| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s \n| where Policy has \"AWS role with admin privileges\"\n| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics",
+ "queryFrequency": "PT30M",
+ "queryPeriod": "PT30M",
+ "severity": "High",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "Authomize_v2_CL"
+ ],
+ "connectorId": "Authomize"
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": [
+ "T1078"
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "customDetails": {
+ "EventRecommendation": "Recommendation",
+ "AuthomizeEventID": "[variables('_AuthomizeEventID')]",
+ "EventDescription": "Description",
+ "EventName": "Policy",
+ "ReferencedURL": "URL"
+ },
+ "alertDetailsOverride": {
+ "alertDescriptionFormat": "AWS role with admin privileges. The policy detects the creation of new AWS roles with administrative privileges. The policy configuration allows limiting the policy to specific accounts.",
+ "alertDynamicProperties": [
+ {
+ "value": "URL",
+ "alertProperty": "AlertLink"
+ }
+ ],
+ "alertSeverity": "Severity",
+ "alertnameFormat": "Alert from Authomize - AWS role with admin privileges",
+ "alertTactics": "Tactics"
+ },
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "lookbackDuration": "5h",
+ "enabled": true,
+ "matchingMethod": "AnyAlert",
+ "groupByCustomDetails": "[variables('TemplateEmptyArray')]",
+ "reopenClosedIncident": false,
+ "groupByAlertDetails": "[variables('TemplateEmptyArray')]",
+ "groupByEntities": "[variables('TemplateEmptyArray')]"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]",
+ "properties": {
+ "description": "Authomize Analytics Rule 4",
+ "parentId": "[variables('analyticRuleId4')]",
+ "contentId": "[variables('_analyticRulecontentId4')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion4')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Authomize",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Authomize",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Authomize",
+ "email": "support@authomize.com",
+ "tier": "Partner",
+ "link": "https://support.authomize.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId4')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "AWS role with admin privileges",
+ "contentProductId": "[variables('_analyticRulecontentProductId4')]",
+ "id": "[variables('_analyticRulecontentProductId4')]",
+ "version": "[variables('analyticRuleVersion4')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName5')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "AWS_role_with_shadow_admin_privileges_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion5')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId5')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "The policy detect the creation of new AWS roles with shadow admin privileges. The policy configuration allows limiting the policy to specific accounts.",
+ "displayName": "AWS role with shadow admin privileges",
+ "enabled": false,
+ "query": "Authomize_v2_CL\n| where ingestion_time() >= ago(30m)\n| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s \n| where Policy has \"AWS role with shadow admin privileges\"\n| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics",
+ "queryFrequency": "PT30M",
+ "queryPeriod": "PT30M",
+ "severity": "High",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "Authomize_v2_CL"
+ ],
+ "connectorId": "Authomize"
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": [
+ "T1078"
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "customDetails": {
+ "EventRecommendation": "Recommendation",
+ "AuthomizeEventID": "[variables('_AuthomizeEventID')]",
+ "EventDescription": "Description",
+ "EventName": "Policy",
+ "ReferencedURL": "URL"
+ },
+ "alertDetailsOverride": {
+ "alertDescriptionFormat": "IaaS shadow admin detected. The policy detect the creation of new AWS roles with shadow admin privileges. The policy configuration allows limiting the policy to specific accounts.\n",
+ "alertDynamicProperties": [
+ {
+ "value": "URL",
+ "alertProperty": "AlertLink"
+ }
+ ],
+ "alertSeverity": "Severity",
+ "alertnameFormat": "Alert from Authomize - AWS role with shadow admin privileges",
+ "alertTactics": "Tactics"
+ },
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "lookbackDuration": "5h",
+ "enabled": true,
+ "matchingMethod": "AnyAlert",
+ "groupByCustomDetails": "[variables('TemplateEmptyArray')]",
+ "reopenClosedIncident": false,
+ "groupByAlertDetails": "[variables('TemplateEmptyArray')]",
+ "groupByEntities": "[variables('TemplateEmptyArray')]"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]",
+ "properties": {
+ "description": "Authomize Analytics Rule 5",
+ "parentId": "[variables('analyticRuleId5')]",
+ "contentId": "[variables('_analyticRulecontentId5')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion5')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Authomize",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Authomize",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Authomize",
+ "email": "support@authomize.com",
+ "tier": "Partner",
+ "link": "https://support.authomize.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId5')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "AWS role with shadow admin privileges",
+ "contentProductId": "[variables('_analyticRulecontentProductId5')]",
+ "id": "[variables('_analyticRulecontentProductId5')]",
+ "version": "[variables('analyticRuleVersion5')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName6')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Chain_of_3_or_more_roles_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion6')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId6')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "The policy detects chains of more than 3 roles in the account, this is a misconfiguration that can enable lateral movement.",
+ "displayName": "Lateral Movement Risk - Role Chain Length",
+ "enabled": false,
+ "query": "Authomize_v2_CL\n| where ingestion_time() >= ago(30m)\n| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s\n| where Policy has \"Chain of 3 or more roles\"\n| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics",
+ "queryFrequency": "PT30M",
+ "queryPeriod": "PT30M",
+ "severity": "Informational",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "Authomize_v2_CL"
+ ],
+ "connectorId": "Authomize"
+ }
+ ],
+ "tactics": [
+ "PrivilegeEscalation"
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "customDetails": {
+ "EventRecommendation": "Recommendation",
+ "AuthomizeEventID": "[variables('_AuthomizeEventID')]",
+ "EventDescription": "Description",
+ "EventName": "Policy",
+ "ReferencedURL": "URL"
+ },
+ "alertDetailsOverride": {
+ "alertDescriptionFormat": "Account can elevate privileges by assuming a role. The policy detects chains of more than 3 roles in the account, this is a misconfiguration that can enable lateral movement.",
+ "alertDynamicProperties": [
+ {
+ "value": "URL",
+ "alertProperty": "AlertLink"
+ }
+ ],
+ "alertSeverity": "Severity",
+ "alertnameFormat": "Alert from Authomize - Account can elevate privileges by assuming a role",
+ "alertTactics": "Tactics"
+ },
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "lookbackDuration": "5h",
+ "enabled": true,
+ "matchingMethod": "AnyAlert",
+ "groupByCustomDetails": "[variables('TemplateEmptyArray')]",
+ "reopenClosedIncident": false,
+ "groupByAlertDetails": "[variables('TemplateEmptyArray')]",
+ "groupByEntities": "[variables('TemplateEmptyArray')]"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]",
+ "properties": {
+ "description": "Authomize Analytics Rule 6",
+ "parentId": "[variables('analyticRuleId6')]",
+ "contentId": "[variables('_analyticRulecontentId6')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion6')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Authomize",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Authomize",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Authomize",
+ "email": "support@authomize.com",
+ "tier": "Partner",
+ "link": "https://support.authomize.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId6')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Lateral Movement Risk - Role Chain Length",
+ "contentProductId": "[variables('_analyticRulecontentProductId6')]",
+ "id": "[variables('_analyticRulecontentProductId6')]",
+ "version": "[variables('analyticRuleVersion6')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName7')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Detect_AWS_IAM_Users_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion7')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId7')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "The policy detects IAM users across your AWS accounts, a practice that should be kept only for a small number of accounts. This is a default definition by Authomize and can be updated using the edit modal.",
+ "displayName": "Detect AWS IAM Users",
+ "enabled": false,
+ "query": "Authomize_v2_CL\n| where ingestion_time() >= ago(30m)\n| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s\n| where Policy has \"Detect AWS IAM Users\"\n| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics",
+ "queryFrequency": "PT30M",
+ "queryPeriod": "PT30M",
+ "severity": "High",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "Authomize_v2_CL"
+ ],
+ "connectorId": "Authomize"
+ }
+ ],
+ "tactics": [
+ "PrivilegeEscalation"
+ ],
+ "techniques": [
+ "T1078"
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "customDetails": {
+ "EventRecommendation": "Recommendation",
+ "AuthomizeEventID": "[variables('_AuthomizeEventID')]",
+ "EventDescription": "Description",
+ "EventName": "Policy",
+ "ReferencedURL": "URL"
+ },
+ "alertDetailsOverride": {
+ "alertDescriptionFormat": "Detect AWS IAM Users. The policy detects IAM users across your AWS accounts, a practice that should be kept only for a small number of accounts. This is a default definition by Authomize and can be updated using the edit modal.",
+ "alertDynamicProperties": [
+ {
+ "value": "URL",
+ "alertProperty": "AlertLink"
+ }
+ ],
+ "alertSeverity": "Severity",
+ "alertnameFormat": "Alert from Authomize - Detect AWS IAM Users",
+ "alertTactics": "Tactics"
+ },
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "lookbackDuration": "5h",
+ "enabled": true,
+ "matchingMethod": "AnyAlert",
+ "groupByCustomDetails": "[variables('TemplateEmptyArray')]",
+ "reopenClosedIncident": false,
+ "groupByAlertDetails": "[variables('TemplateEmptyArray')]",
+ "groupByEntities": "[variables('TemplateEmptyArray')]"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]",
+ "properties": {
+ "description": "Authomize Analytics Rule 7",
+ "parentId": "[variables('analyticRuleId7')]",
+ "contentId": "[variables('_analyticRulecontentId7')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion7')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Authomize",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Authomize",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Authomize",
+ "email": "support@authomize.com",
+ "tier": "Partner",
+ "link": "https://support.authomize.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId7')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Detect AWS IAM Users",
+ "contentProductId": "[variables('_analyticRulecontentProductId7')]",
+ "id": "[variables('_analyticRulecontentProductId7')]",
+ "version": "[variables('analyticRuleVersion7')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName8')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Empty_group_with_entitlements_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion8')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId8')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "The rule detects empty groups with entitlements.",
+ "displayName": "Empty group with entitlements",
+ "enabled": false,
+ "query": "Authomize_v2_CL\n| where ingestion_time() >= ago(30m)\n| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s\n| where Policy has \"Empty group with entitlements\"\n| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics",
+ "queryFrequency": "PT30M",
+ "queryPeriod": "PT30M",
+ "severity": "Informational",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "Authomize_v2_CL"
+ ],
+ "connectorId": "Authomize"
+ }
+ ],
+ "tactics": [
+ "PrivilegeEscalation"
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "customDetails": {
+ "EventRecommendation": "Recommendation",
+ "AuthomizeEventID": "[variables('_AuthomizeEventID')]",
+ "EventDescription": "Description",
+ "EventName": "Policy",
+ "ReferencedURL": "URL"
+ },
+ "alertDetailsOverride": {
+ "alertDescriptionFormat": "Empty group with entitlements. The policy detects empty groups with entitlements",
+ "alertDynamicProperties": [
+ {
+ "value": "URL",
+ "alertProperty": "AlertLink"
+ }
+ ],
+ "alertSeverity": "Severity",
+ "alertnameFormat": "Alert from Authomize - Empty group with entitlements",
+ "alertTactics": "Tactics"
+ },
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "lookbackDuration": "5h",
+ "enabled": true,
+ "matchingMethod": "AnyAlert",
+ "groupByCustomDetails": "[variables('TemplateEmptyArray')]",
+ "reopenClosedIncident": false,
+ "groupByAlertDetails": "[variables('TemplateEmptyArray')]",
+ "groupByEntities": "[variables('TemplateEmptyArray')]"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]",
+ "properties": {
+ "description": "Authomize Analytics Rule 8",
+ "parentId": "[variables('analyticRuleId8')]",
+ "contentId": "[variables('_analyticRulecontentId8')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion8')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Authomize",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Authomize",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Authomize",
+ "email": "support@authomize.com",
+ "tier": "Partner",
+ "link": "https://support.authomize.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId8')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Empty group with entitlements",
+ "contentProductId": "[variables('_analyticRulecontentProductId8')]",
+ "id": "[variables('_analyticRulecontentProductId8')]",
+ "version": "[variables('analyticRuleVersion8')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName9')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "IaaS_admin_detected_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion9')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId9')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "The policy detects admin users in AWS or Azure.",
+ "displayName": "IaaS admin detected",
+ "enabled": false,
+ "query": "Authomize_v2_CL\n| where ingestion_time() >= ago(30m)\n| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s\n| where Policy has \"IaaS admin detected\"\n| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics",
+ "queryFrequency": "PT30M",
+ "queryPeriod": "PT30M",
+ "severity": "Medium",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "Authomize_v2_CL"
+ ],
+ "connectorId": "Authomize"
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": [
+ "T1078"
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "customDetails": {
+ "EventRecommendation": "Recommendation",
+ "AuthomizeEventID": "[variables('_AuthomizeEventID')]",
+ "EventDescription": "Description",
+ "EventName": "Policy",
+ "ReferencedURL": "URL"
+ },
+ "alertDetailsOverride": {
+ "alertDescriptionFormat": "IaaS admin detected. The policy detects admin users in AWS or Azure\n",
+ "alertDynamicProperties": [
+ {
+ "value": "URL",
+ "alertProperty": "AlertLink"
+ }
+ ],
+ "alertSeverity": "Severity",
+ "alertnameFormat": "Alert from Authomize - IaaS admin detected",
+ "alertTactics": "Tactics"
+ },
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "lookbackDuration": "5h",
+ "enabled": true,
+ "matchingMethod": "AnyAlert",
+ "groupByCustomDetails": "[variables('TemplateEmptyArray')]",
+ "reopenClosedIncident": false,
+ "groupByAlertDetails": "[variables('TemplateEmptyArray')]",
+ "groupByEntities": "[variables('TemplateEmptyArray')]"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]",
+ "properties": {
+ "description": "Authomize Analytics Rule 9",
+ "parentId": "[variables('analyticRuleId9')]",
+ "contentId": "[variables('_analyticRulecontentId9')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion9')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Authomize",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Authomize",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Authomize",
+ "email": "support@authomize.com",
+ "tier": "Partner",
+ "link": "https://support.authomize.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId9')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "IaaS admin detected",
+ "contentProductId": "[variables('_analyticRulecontentProductId9')]",
+ "id": "[variables('_analyticRulecontentProductId9')]",
+ "version": "[variables('analyticRuleVersion9')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName10')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "IaaS_policy_not_attached_to_any_identity_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion10')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId10')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "The rule detects AWS policies that are not attached to any identities, meaning they can be deleted.",
+ "displayName": "IaaS policy not attached to any identity",
+ "enabled": false,
+ "query": "Authomize_v2_CL\n| where ingestion_time() >= ago(30m)\n| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s\n| where Policy has \"IaaS policy not attached to any identity\"\n| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics",
+ "queryFrequency": "PT30M",
+ "queryPeriod": "PT30M",
+ "severity": "Informational",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "Authomize_v2_CL"
+ ],
+ "connectorId": "Authomize"
+ }
+ ],
+ "tactics": [
+ "PrivilegeEscalation"
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "customDetails": {
+ "EventRecommendation": "Recommendation",
+ "AuthomizeEventID": "[variables('_AuthomizeEventID')]",
+ "EventDescription": "Description",
+ "EventName": "Policy",
+ "ReferencedURL": "URL"
+ },
+ "alertDetailsOverride": {
+ "alertDescriptionFormat": "IaaS policy not attached to any identity. The rule detects 'IaaS policies' attached to a role that has not used them during the past X days. It is recommended to remove unused policies from identities to reduce risk.",
+ "alertDynamicProperties": [
+ {
+ "value": "URL",
+ "alertProperty": "AlertLink"
+ }
+ ],
+ "alertSeverity": "Severity",
+ "alertnameFormat": "Alert from Authomize - IaaS policy not attached to any identity",
+ "alertTactics": "Tactics"
+ },
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "lookbackDuration": "5h",
+ "enabled": true,
+ "matchingMethod": "AnyAlert",
+ "groupByCustomDetails": "[variables('TemplateEmptyArray')]",
+ "reopenClosedIncident": false,
+ "groupByAlertDetails": "[variables('TemplateEmptyArray')]",
+ "groupByEntities": "[variables('TemplateEmptyArray')]"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]",
+ "properties": {
+ "description": "Authomize Analytics Rule 10",
+ "parentId": "[variables('analyticRuleId10')]",
+ "contentId": "[variables('_analyticRulecontentId10')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion10')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Authomize",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Authomize",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Authomize",
+ "email": "support@authomize.com",
+ "tier": "Partner",
+ "link": "https://support.authomize.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId10')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "IaaS policy not attached to any identity",
+ "contentProductId": "[variables('_analyticRulecontentProductId10')]",
+ "id": "[variables('_analyticRulecontentProductId10')]",
+ "version": "[variables('analyticRuleVersion10')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName11')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "IaaS_shadow_admin_detected_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion11')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId11')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "The policy detects shadow admin users in AWS or Azure.",
+ "displayName": "IaaS shadow admin detected",
+ "enabled": false,
+ "query": "Authomize_v2_CL\n| where ingestion_time() >= ago(30m)\n| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s\n| where Policy has \"IaaS shadow admin detected\"\n| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics",
+ "queryFrequency": "PT30M",
+ "queryPeriod": "PT30M",
+ "severity": "High",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "Authomize_v2_CL"
+ ],
+ "connectorId": "Authomize"
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": [
+ "T1078"
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "customDetails": {
+ "EventRecommendation": "Recommendation",
+ "AuthomizeEventID": "[variables('_AuthomizeEventID')]",
+ "EventDescription": "Description",
+ "EventName": "Policy",
+ "ReferencedURL": "URL"
+ },
+ "alertDetailsOverride": {
+ "alertDescriptionFormat": "IaaS shadow admin detected. The policy detects shadow admin users in AWS or Azure.\n",
+ "alertDynamicProperties": [
+ {
+ "value": "URL",
+ "alertProperty": "AlertLink"
+ }
+ ],
+ "alertSeverity": "Severity",
+ "alertnameFormat": "Alert from Authomize - IaaS shadow admin detected",
+ "alertTactics": "Tactics"
+ },
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "lookbackDuration": "5h",
+ "enabled": true,
+ "matchingMethod": "AnyAlert",
+ "groupByCustomDetails": "[variables('TemplateEmptyArray')]",
+ "reopenClosedIncident": false,
+ "groupByAlertDetails": "[variables('TemplateEmptyArray')]",
+ "groupByEntities": "[variables('TemplateEmptyArray')]"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId11'),'/'))))]",
+ "properties": {
+ "description": "Authomize Analytics Rule 11",
+ "parentId": "[variables('analyticRuleId11')]",
+ "contentId": "[variables('_analyticRulecontentId11')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion11')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Authomize",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Authomize",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Authomize",
+ "email": "support@authomize.com",
+ "tier": "Partner",
+ "link": "https://support.authomize.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId11')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "IaaS shadow admin detected",
+ "contentProductId": "[variables('_analyticRulecontentProductId11')]",
+ "id": "[variables('_analyticRulecontentProductId11')]",
+ "version": "[variables('analyticRuleVersion11')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName12')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "New_direct_access_policy_was_granted_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion12')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId12')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps.",
+ "displayName": "New direct access policy was granted against organizational policy",
+ "enabled": false,
+ "query": "Authomize_v2_CL\n| where ingestion_time() >= ago(30m)\n| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s\n| where Policy has \"New direct access policy was granted against organizational policy\"\n| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics",
+ "queryFrequency": "PT30M",
+ "queryPeriod": "PT30M",
+ "severity": "Low",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "Authomize_v2_CL"
+ ],
+ "connectorId": "Authomize"
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "PrivilegeEscalation"
+ ],
+ "techniques": [
+ "T1078",
+ "T1078"
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "customDetails": {
+ "EventRecommendation": "Recommendation",
+ "AuthomizeEventID": "[variables('_AuthomizeEventID')]",
+ "EventDescription": "Description",
+ "EventName": "Policy",
+ "ReferencedURL": "URL"
+ },
+ "alertDetailsOverride": {
+ "alertDescriptionFormat": "New direct access policy was granted against organizational policy. This policy detects when access was granted directly (not via groups). This policy is defined by default by Authomize to track AWS only. It is possible to edit the existing policy or create more versions to track other apps.\n",
+ "alertDynamicProperties": [
+ {
+ "value": "URL",
+ "alertProperty": "AlertLink"
+ }
+ ],
+ "alertSeverity": "Severity",
+ "alertnameFormat": "Alert from Authomize - New direct access policy was granted against organizational policy",
+ "alertTactics": "Tactics"
+ },
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "lookbackDuration": "5h",
+ "enabled": true,
+ "matchingMethod": "AnyAlert",
+ "groupByCustomDetails": "[variables('TemplateEmptyArray')]",
+ "reopenClosedIncident": false,
+ "groupByAlertDetails": "[variables('TemplateEmptyArray')]",
+ "groupByEntities": "[variables('TemplateEmptyArray')]"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId12'),'/'))))]",
+ "properties": {
+ "description": "Authomize Analytics Rule 12",
+ "parentId": "[variables('analyticRuleId12')]",
+ "contentId": "[variables('_analyticRulecontentId12')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion12')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Authomize",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Authomize",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Authomize",
+ "email": "support@authomize.com",
+ "tier": "Partner",
+ "link": "https://support.authomize.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId12')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "New direct access policy was granted against organizational policy",
+ "contentProductId": "[variables('_analyticRulecontentProductId12')]",
+ "id": "[variables('_analyticRulecontentProductId12')]",
+ "version": "[variables('analyticRuleVersion12')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName13')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "New_service_account_gained_access_to_IaaS_resource_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion13')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId13')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "This policy detects when an application or service account gained new access to your assets. This policy is defined by Authomize and can be edited to change the configuration.",
+ "displayName": "New service account gained access to IaaS resource",
+ "enabled": false,
+ "query": "Authomize_v2_CL\n| where ingestion_time() >= ago(30m)\n| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s\n| where Policy has \"New service account gained access to IaaS resource\"\n| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics",
+ "queryFrequency": "PT30M",
+ "queryPeriod": "PT30M",
+ "severity": "Informational",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "Authomize_v2_CL"
+ ],
+ "connectorId": "Authomize"
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "customDetails": {
+ "EventRecommendation": "Recommendation",
+ "AuthomizeEventID": "[variables('_AuthomizeEventID')]",
+ "EventDescription": "Description",
+ "EventName": "Policy",
+ "ReferencedURL": "URL"
+ },
+ "alertDetailsOverride": {
+ "alertDescriptionFormat": "New service account gained access to IaaS resource. This policy detects when an application or service account gained new access to your assets. This policy is defined by Authomize and can be edited to change the configuration.",
+ "alertDynamicProperties": [
+ {
+ "value": "URL",
+ "alertProperty": "AlertLink"
+ }
+ ],
+ "alertSeverity": "Severity",
+ "alertnameFormat": "Alert from Authomize - New service account gained access to IaaS resource",
+ "alertTactics": "Tactics"
+ },
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "lookbackDuration": "5h",
+ "enabled": true,
+ "matchingMethod": "AnyAlert",
+ "groupByCustomDetails": "[variables('TemplateEmptyArray')]",
+ "reopenClosedIncident": false,
+ "groupByAlertDetails": "[variables('TemplateEmptyArray')]",
+ "groupByEntities": "[variables('TemplateEmptyArray')]"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId13'),'/'))))]",
+ "properties": {
+ "description": "Authomize Analytics Rule 13",
+ "parentId": "[variables('analyticRuleId13')]",
+ "contentId": "[variables('_analyticRulecontentId13')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion13')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Authomize",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Authomize",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Authomize",
+ "email": "support@authomize.com",
+ "tier": "Partner",
+ "link": "https://support.authomize.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId13')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "New service account gained access to IaaS resource",
+ "contentProductId": "[variables('_analyticRulecontentProductId13')]",
+ "id": "[variables('_analyticRulecontentProductId13')]",
+ "version": "[variables('analyticRuleVersion13')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName14')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Password_Exfiltration_over_SCIM_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion14')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId14')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "This rule detects suspicious sync events that occurred to applications using SCIM for user provisioning.",
+ "displayName": "Password Exfiltration over SCIM application",
+ "enabled": false,
+ "query": "Authomize_v2_CL\n| where ingestion_time() >= ago(30m)\n| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s\n| where Policy has \"Password Exfiltration over SCIM application\"\n| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics",
+ "queryFrequency": "PT30M",
+ "queryPeriod": "PT30M",
+ "severity": "High",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "Authomize_v2_CL"
+ ],
+ "connectorId": "Authomize"
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "InitialAccess"
+ ],
+ "techniques": [
+ "T1555",
+ "T1040",
+ "T1552"
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "customDetails": {
+ "EventRecommendation": "Recommendation",
+ "AuthomizeEventID": "[variables('_AuthomizeEventID')]",
+ "EventDescription": "Description",
+ "EventName": "Policy",
+ "ReferencedURL": "URL"
+ },
+ "alertDetailsOverride": {
+ "alertDescriptionFormat": "Password Exfiltration over SCIM application. This policy detects suspicious sync events that occurred to applications using SCIM for user provisioning.",
+ "alertDynamicProperties": [
+ {
+ "value": "URL",
+ "alertProperty": "AlertLink"
+ }
+ ],
+ "alertSeverity": "Severity",
+ "alertnameFormat": "Alert from Authomize - Password Exfiltration over SCIM application",
+ "alertTactics": "Tactics"
+ },
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "lookbackDuration": "5h",
+ "enabled": true,
+ "matchingMethod": "AnyAlert",
+ "groupByCustomDetails": "[variables('TemplateEmptyArray')]",
+ "reopenClosedIncident": false,
+ "groupByAlertDetails": "[variables('TemplateEmptyArray')]",
+ "groupByEntities": "[variables('TemplateEmptyArray')]"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId14'),'/'))))]",
+ "properties": {
+ "description": "Authomize Analytics Rule 14",
+ "parentId": "[variables('analyticRuleId14')]",
+ "contentId": "[variables('_analyticRulecontentId14')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion14')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Authomize",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Authomize",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Authomize",
+ "email": "support@authomize.com",
+ "tier": "Partner",
+ "link": "https://support.authomize.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId14')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Password Exfiltration over SCIM application",
+ "contentProductId": "[variables('_analyticRulecontentProductId14')]",
+ "id": "[variables('_analyticRulecontentProductId14')]",
+ "version": "[variables('analyticRuleVersion14')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName15')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Privileged_Machines_Exposed_to_the_Internet_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion15')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId15')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "These are AWS Ec2 machines that are exposed to the internet. You can further filter by tags so that you can, for example, find exposed machines that are also \"privileged\".",
+ "displayName": "Privileged Machines Exposed to the Internet",
+ "enabled": false,
+ "query": "Authomize_v2_CL\n| where ingestion_time() >= ago(30m)\n| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s\n| where Policy has \"Privileged Machines Exposed to the Internet\"\n| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics",
+ "queryFrequency": "PT30M",
+ "queryPeriod": "PT30M",
+ "severity": "High",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "Authomize_v2_CL"
+ ],
+ "connectorId": "Authomize"
+ }
+ ],
+ "tactics": [
+ "Discovery",
+ "Impact"
+ ],
+ "techniques": [
+ "T1580"
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "customDetails": {
+ "EventRecommendation": "Recommendation",
+ "AuthomizeEventID": "[variables('_AuthomizeEventID')]",
+ "EventDescription": "Description",
+ "EventName": "Policy",
+ "ReferencedURL": "URL"
+ },
+ "alertDetailsOverride": {
+ "alertDescriptionFormat": "Privileged Machines Exposed to the Internet. These are AWS Ec2 machines that are exposed to the internet. You can further filter by tags so that you can, for example, find exposed machines that are also \"privileged\".",
+ "alertDynamicProperties": [
+ {
+ "value": "URL",
+ "alertProperty": "AlertLink"
+ }
+ ],
+ "alertSeverity": "Severity",
+ "alertnameFormat": "Alert from Authomize - Privileged Machines Exposed to the Internet",
+ "alertTactics": "Tactics"
+ },
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "lookbackDuration": "5h",
+ "enabled": true,
+ "matchingMethod": "AnyAlert",
+ "groupByCustomDetails": "[variables('TemplateEmptyArray')]",
+ "reopenClosedIncident": false,
+ "groupByAlertDetails": "[variables('TemplateEmptyArray')]",
+ "groupByEntities": "[variables('TemplateEmptyArray')]"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId15'),'/'))))]",
+ "properties": {
+ "description": "Authomize Analytics Rule 15",
+ "parentId": "[variables('analyticRuleId15')]",
+ "contentId": "[variables('_analyticRulecontentId15')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion15')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Authomize",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Authomize",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Authomize",
+ "email": "support@authomize.com",
+ "tier": "Partner",
+ "link": "https://support.authomize.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId15')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Privileged Machines Exposed to the Internet",
+ "contentProductId": "[variables('_analyticRulecontentProductId15')]",
+ "id": "[variables('_analyticRulecontentProductId15')]",
+ "version": "[variables('analyticRuleVersion15')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName16')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Refactor_AWS_policy_based_on_activities_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion16')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId16')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "This is a recommended update to IAM policy on AWS. Review the policy and apply it according to change control process. Authomize will have a recommended policy to be downloaded.",
+ "displayName": "Refactor AWS policy based on activities in the last 60 days",
+ "enabled": false,
+ "query": "Authomize_v2_CL\n| where ingestion_time() >= ago(30m)\n| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s\n| where Policy has \"Refactor AWS policy based on activities in the last 60 days.\"\n| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics",
+ "queryFrequency": "PT30M",
+ "queryPeriod": "PT30M",
+ "severity": "High",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "Authomize_v2_CL"
+ ],
+ "connectorId": "Authomize"
+ }
+ ],
+ "tactics": [
+ "PrivilegeEscalation"
+ ],
+ "techniques": [
+ "T1078"
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "customDetails": {
+ "EventRecommendation": "Recommendation",
+ "AuthomizeEventID": "[variables('_AuthomizeEventID')]",
+ "EventDescription": "Description",
+ "EventName": "Policy",
+ "ReferencedURL": "URL"
+ },
+ "alertDetailsOverride": {
+ "alertDescriptionFormat": "Refactor AWS policy based on activities in the last 60 days. This is a recommended update to IAM policy on AWS. Review the policy and apply it according to change control process. Authomize will have a recommended policy to be downloaded.",
+ "alertDynamicProperties": [
+ {
+ "value": "URL",
+ "alertProperty": "AlertLink"
+ }
+ ],
+ "alertSeverity": "Severity",
+ "alertnameFormat": "Alert from Authomize - Refactor AWS policy based on activities in the last 60 days",
+ "alertTactics": "Tactics"
+ },
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "lookbackDuration": "5h",
+ "enabled": true,
+ "matchingMethod": "AnyAlert",
+ "groupByCustomDetails": "[variables('TemplateEmptyArray')]",
+ "reopenClosedIncident": false,
+ "groupByAlertDetails": "[variables('TemplateEmptyArray')]",
+ "groupByEntities": "[variables('TemplateEmptyArray')]"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId16'),'/'))))]",
+ "properties": {
+ "description": "Authomize Analytics Rule 16",
+ "parentId": "[variables('analyticRuleId16')]",
+ "contentId": "[variables('_analyticRulecontentId16')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion16')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Authomize",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Authomize",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Authomize",
+ "email": "support@authomize.com",
+ "tier": "Partner",
+ "link": "https://support.authomize.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId16')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Refactor AWS policy based on activities in the last 60 days",
+ "contentProductId": "[variables('_analyticRulecontentProductId16')]",
+ "id": "[variables('_analyticRulecontentProductId16')]",
+ "version": "[variables('analyticRuleVersion16')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName17')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Stale_AWS_policy_attachment_to_identity_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion17')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId17')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "The policy detects 'AWS policies' attached to IAM users or roles that have not used it during the last X days. It is recommended to remove unused policies from identities to reduce risk.",
+ "displayName": "Stale AWS policy attachment to identity",
+ "enabled": false,
+ "query": "Authomize_v2_CL\n| where ingestion_time() >= ago(30m)\n| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s\n| where Policy has \"Stale AWS policy attachment to identity\"\n| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics",
+ "queryFrequency": "PT30M",
+ "queryPeriod": "PT30M",
+ "severity": "Low",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "Authomize_v2_CL"
+ ],
+ "connectorId": "Authomize"
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": [
+ "T1078"
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "customDetails": {
+ "EventRecommendation": "Recommendation",
+ "AuthomizeEventID": "[variables('_AuthomizeEventID')]",
+ "EventDescription": "Description",
+ "EventName": "Policy",
+ "ReferencedURL": "URL"
+ },
+ "alertDetailsOverride": {
+ "alertDescriptionFormat": "Stale AWS policy attachment to identity. The policy detects 'AWS policies' attached to IAM users or roles that have not used it during the last X days. It is recommended to remove unused policies from identities to reduce risk.",
+ "alertDynamicProperties": [
+ {
+ "value": "URL",
+ "alertProperty": "AlertLink"
+ }
+ ],
+ "alertSeverity": "Severity",
+ "alertnameFormat": "Alert from Authomize - Stale AWS policy attachment to identity",
+ "alertTactics": "Tactics"
+ },
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "lookbackDuration": "5h",
+ "enabled": true,
+ "matchingMethod": "AnyAlert",
+ "groupByCustomDetails": "[variables('TemplateEmptyArray')]",
+ "reopenClosedIncident": false,
+ "groupByAlertDetails": "[variables('TemplateEmptyArray')]",
+ "groupByEntities": "[variables('TemplateEmptyArray')]"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId17'),'/'))))]",
+ "properties": {
+ "description": "Authomize Analytics Rule 17",
+ "parentId": "[variables('analyticRuleId17')]",
+ "contentId": "[variables('_analyticRulecontentId17')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion17')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Authomize",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Authomize",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Authomize",
+ "email": "support@authomize.com",
+ "tier": "Partner",
+ "link": "https://support.authomize.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId17')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Stale AWS policy attachment to identity",
+ "contentProductId": "[variables('_analyticRulecontentProductId17')]",
+ "id": "[variables('_analyticRulecontentProductId17')]",
+ "version": "[variables('analyticRuleVersion17')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName18')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Stale_IAAS_policy_attachment_to_role_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion18')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId18')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "The rule detects 'IaaS policies' attached to a role that has not used them during the past X days. It is recommended to remove unused policies from identities to reduce risk.",
+ "displayName": "Stale IAAS policy attachment to role",
+ "enabled": false,
+ "query": "Authomize_v2_CL\n| where ingestion_time() >= ago(30m)\n| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s\n| where Policy has \"Stale IAAS policy attachment to role\"\n| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics",
+ "queryFrequency": "PT30M",
+ "queryPeriod": "PT30M",
+ "severity": "Informational",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "Authomize_v2_CL"
+ ],
+ "connectorId": "Authomize"
+ }
+ ],
+ "tactics": [
+ "PrivilegeEscalation"
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "customDetails": {
+ "EventRecommendation": "Recommendation",
+ "AuthomizeEventID": "[variables('_AuthomizeEventID')]",
+ "EventDescription": "Description",
+ "EventName": "Policy",
+ "ReferencedURL": "URL"
+ },
+ "alertDetailsOverride": {
+ "alertDescriptionFormat": "Stale IAAS policy attachment to role. The rule detects 'IaaS policies' attached to a role that has not used them during the past X days.It is recommended to remove unused policies from identities to reduce risk.",
+ "alertDynamicProperties": [
+ {
+ "value": "URL",
+ "alertProperty": "AlertLink"
+ }
+ ],
+ "alertSeverity": "Severity",
+ "alertnameFormat": "Alert from Authomize - Stale IAAS policy attachment to role",
+ "alertTactics": "Tactics"
+ },
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "lookbackDuration": "5h",
+ "enabled": true,
+ "matchingMethod": "AnyAlert",
+ "groupByCustomDetails": "[variables('TemplateEmptyArray')]",
+ "reopenClosedIncident": false,
+ "groupByAlertDetails": "[variables('TemplateEmptyArray')]",
+ "groupByEntities": "[variables('TemplateEmptyArray')]"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId18'),'/'))))]",
+ "properties": {
+ "description": "Authomize Analytics Rule 18",
+ "parentId": "[variables('analyticRuleId18')]",
+ "contentId": "[variables('_analyticRulecontentId18')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion18')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Authomize",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Authomize",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Authomize",
+ "email": "support@authomize.com",
+ "tier": "Partner",
+ "link": "https://support.authomize.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId18')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Stale IAAS policy attachment to role",
+ "contentProductId": "[variables('_analyticRulecontentProductId18')]",
+ "id": "[variables('_analyticRulecontentProductId18')]",
+ "version": "[variables('analyticRuleVersion18')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName19')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Unused_IaaS_Policy_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion19')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId19')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "The policy detects 'IaaS policies' that no one in the account has been using during the last X days.",
+ "displayName": "Unused IaaS Policy",
+ "enabled": false,
+ "query": "Authomize_v2_CL\n| where ingestion_time() >= ago(30m)\n| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s\n| where Policy has \"Unused IaaS Policy\"\n| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics",
+ "queryFrequency": "PT30M",
+ "queryPeriod": "PT30M",
+ "severity": "High",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "Authomize_v2_CL"
+ ],
+ "connectorId": "Authomize"
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "PrivilegeEscalation"
+ ],
+ "techniques": [
+ "T1078",
+ "T1068",
+ "T1078"
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "customDetails": {
+ "EventRecommendation": "Recommendation",
+ "AuthomizeEventID": "[variables('_AuthomizeEventID')]",
+ "EventDescription": "Description",
+ "EventName": "Policy",
+ "ReferencedURL": "URL"
+ },
+ "alertDetailsOverride": {
+ "alertDescriptionFormat": "Unused IaaS Policy. The policy detects 'IaaS policies' that no one in the account has been using during the last X days.\n",
+ "alertDynamicProperties": [
+ {
+ "value": "URL",
+ "alertProperty": "AlertLink"
+ }
+ ],
+ "alertSeverity": "Severity",
+ "alertnameFormat": "Alert from Authomize - Unused IaaS Policy",
+ "alertTactics": "Tactics"
+ },
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "lookbackDuration": "5h",
+ "enabled": true,
+ "matchingMethod": "AnyAlert",
+ "groupByCustomDetails": "[variables('TemplateEmptyArray')]",
+ "reopenClosedIncident": false,
+ "groupByAlertDetails": "[variables('TemplateEmptyArray')]",
+ "groupByEntities": "[variables('TemplateEmptyArray')]"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId19'),'/'))))]",
+ "properties": {
+ "description": "Authomize Analytics Rule 19",
+ "parentId": "[variables('analyticRuleId19')]",
+ "contentId": "[variables('_analyticRulecontentId19')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion19')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Authomize",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Authomize",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Authomize",
+ "email": "support@authomize.com",
+ "tier": "Partner",
+ "link": "https://support.authomize.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId19')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Unused IaaS Policy",
+ "contentProductId": "[variables('_analyticRulecontentProductId19')]",
+ "id": "[variables('_analyticRulecontentProductId19')]",
+ "version": "[variables('analyticRuleVersion19')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName20')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "User_assigned_to_a_default_admin_role_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion20')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId20')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "The policy detects users that were assigned to one of the systems default admin roles.",
+ "displayName": "User assigned to a default admin role",
+ "enabled": false,
+ "query": "Authomize_v2_CL\n| where ingestion_time() >= ago(30m)\n| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s\n| where Policy has \"User assigned to a default admin role\"\n| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics",
+ "queryFrequency": "PT30M",
+ "queryPeriod": "PT30M",
+ "severity": "High",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "Authomize_v2_CL"
+ ],
+ "connectorId": "Authomize"
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": [
+ "T1078"
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "customDetails": {
+ "EventRecommendation": "Recommendation",
+ "AuthomizeEventID": "[variables('_AuthomizeEventID')]",
+ "EventDescription": "Description",
+ "EventName": "Policy",
+ "ReferencedURL": "URL"
+ },
+ "alertDetailsOverride": {
+ "alertDescriptionFormat": "User assigned to a default admin role. The rule detects users that were assigned to one of the systems default admin roles.\n",
+ "alertDynamicProperties": [
+ {
+ "value": "URL",
+ "alertProperty": "AlertLink"
+ }
+ ],
+ "alertSeverity": "Severity",
+ "alertnameFormat": "Alert from Authomize - User assigned to a default admin role",
+ "alertTactics": "Tactics"
+ },
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "lookbackDuration": "5h",
+ "enabled": true,
+ "matchingMethod": "AnyAlert",
+ "groupByCustomDetails": "[variables('TemplateEmptyArray')]",
+ "reopenClosedIncident": false,
+ "groupByAlertDetails": "[variables('TemplateEmptyArray')]",
+ "groupByEntities": "[variables('TemplateEmptyArray')]"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId20'),'/'))))]",
+ "properties": {
+ "description": "Authomize Analytics Rule 20",
+ "parentId": "[variables('analyticRuleId20')]",
+ "contentId": "[variables('_analyticRulecontentId20')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion20')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Authomize",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Authomize",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Authomize",
+ "email": "support@authomize.com",
+ "tier": "Partner",
+ "link": "https://support.authomize.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId20')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "User assigned to a default admin role",
+ "contentProductId": "[variables('_analyticRulecontentProductId20')]",
+ "id": "[variables('_analyticRulecontentProductId20')]",
+ "version": "[variables('analyticRuleVersion20')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName21')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "User_without_MFA_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion21')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId21')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "The policy detects user accounts without mutli-factor authentication",
+ "displayName": "User without MFA",
+ "enabled": false,
+ "query": "Authomize_v2_CL\n| where ingestion_time() >= ago(30m)\n| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s\n| where Policy has \"User without MFA\"\n| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics",
+ "queryFrequency": "PT30M",
+ "queryPeriod": "PT30M",
+ "severity": "Medium",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "Authomize_v2_CL"
+ ],
+ "connectorId": "Authomize"
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": [
+ "T1078"
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "customDetails": {
+ "EventRecommendation": "Recommendation",
+ "AuthomizeEventID": "[variables('_AuthomizeEventID')]",
+ "EventDescription": "Description",
+ "EventName": "Policy",
+ "ReferencedURL": "URL"
+ },
+ "alertDetailsOverride": {
+ "alertDescriptionFormat": "User without MFA. The policy detects user accounts without mutli-factor authentication\n",
+ "alertDynamicProperties": [
+ {
+ "value": "URL",
+ "alertProperty": "AlertLink"
+ }
+ ],
+ "alertSeverity": "Severity",
+ "alertnameFormat": "Alert from Authomize - User without MFA",
+ "alertTactics": "Tactics"
+ },
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "lookbackDuration": "5h",
+ "enabled": true,
+ "matchingMethod": "AnyAlert",
+ "groupByCustomDetails": "[variables('TemplateEmptyArray')]",
+ "reopenClosedIncident": false,
+ "groupByAlertDetails": "[variables('TemplateEmptyArray')]",
+ "groupByEntities": "[variables('TemplateEmptyArray')]"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId21'),'/'))))]",
+ "properties": {
+ "description": "Authomize Analytics Rule 21",
+ "parentId": "[variables('analyticRuleId21')]",
+ "contentId": "[variables('_analyticRulecontentId21')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion21')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Authomize",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Authomize",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Authomize",
+ "email": "support@authomize.com",
+ "tier": "Partner",
+ "link": "https://support.authomize.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId21')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "User without MFA",
+ "contentProductId": "[variables('_analyticRulecontentProductId21')]",
+ "id": "[variables('_analyticRulecontentProductId21')]",
+ "version": "[variables('analyticRuleVersion21')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Admin_SaaS_account_detected_HuntingQueries Hunting Query with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('huntingQueryVersion1')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "Authomize_Hunting_Query_1",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "eTag": "*",
+ "displayName": "Admin SaaS account detected",
+ "category": "Hunting Queries",
+ "query": "Authomize_v2_CL\n| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s\n| where Policy has \"Admin SaaS account detected\"\n| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics\n| extend CloudApplication_0_Name = Policy\n",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": "detects internal admins accounts, it's recommended to review any new administrative permission."
+ },
+ {
+ "name": "tactics",
+ "value": "PrivilegeEscalation"
+ },
+ {
+ "name": "techniques",
+ "value": "T1089"
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]",
+ "properties": {
+ "description": "Authomize Hunting Query 1",
+ "parentId": "[variables('huntingQueryId1')]",
+ "contentId": "[variables('_huntingQuerycontentId1')]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Authomize",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Authomize",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Authomize",
+ "email": "support@authomize.com",
+ "tier": "Partner",
+ "link": "https://support.authomize.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_huntingQuerycontentId1')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Admin SaaS account detected",
+ "contentProductId": "[variables('_huntingQuerycontentProductId1')]",
+ "id": "[variables('_huntingQuerycontentProductId1')]",
+ "version": "[variables('huntingQueryVersion1')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryTemplateSpecName2')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Chain_of_3_or_more_roles_HuntingQueries Hunting Query with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('huntingQueryVersion2')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "Authomize_Hunting_Query_2",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "eTag": "*",
+ "displayName": "ateral Movement Risk - Role Chain Length",
+ "category": "Hunting Queries",
+ "query": "Authomize_v2_CL\n| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s\n| where Policy has \"Chain of 3 or more roles\"\n| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics\n| extend CloudApplication_0_Name = Policy\n",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": "detects chains of more than 3 roles in the account, this is a misconfiguration that can enable lateral movement."
+ },
+ {
+ "name": "tactics",
+ "value": "PrivilegeEscalation"
+ },
+ {
+ "name": "techniques",
+ "value": "T1089"
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]",
+ "properties": {
+ "description": "Authomize Hunting Query 2",
+ "parentId": "[variables('huntingQueryId2')]",
+ "contentId": "[variables('_huntingQuerycontentId2')]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryVersion2')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Authomize",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Authomize",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Authomize",
+ "email": "support@authomize.com",
+ "tier": "Partner",
+ "link": "https://support.authomize.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_huntingQuerycontentId2')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "ateral Movement Risk - Role Chain Length",
+ "contentProductId": "[variables('_huntingQuerycontentProductId2')]",
+ "id": "[variables('_huntingQuerycontentProductId2')]",
+ "version": "[variables('huntingQueryVersion2')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryTemplateSpecName3')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "IaaS_admin_detected_HuntingQueries Hunting Query with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('huntingQueryVersion3')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "Authomize_Hunting_Query_3",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "eTag": "*",
+ "displayName": "IaaS admin detected",
+ "category": "Hunting Queries",
+ "query": "Authomize_v2_CL\n| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s\n| where Policy has \"IaaS admin detected\"\n| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics\n| extend CloudApplication_0_Name = Policy\n",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": "detects admin users in AWS or Azure."
+ },
+ {
+ "name": "tactics",
+ "value": "PrivilegeEscalation"
+ },
+ {
+ "name": "techniques",
+ "value": "T1089"
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]",
+ "properties": {
+ "description": "Authomize Hunting Query 3",
+ "parentId": "[variables('huntingQueryId3')]",
+ "contentId": "[variables('_huntingQuerycontentId3')]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryVersion3')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Authomize",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Authomize",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Authomize",
+ "email": "support@authomize.com",
+ "tier": "Partner",
+ "link": "https://support.authomize.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_huntingQuerycontentId3')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "IaaS admin detected",
+ "contentProductId": "[variables('_huntingQuerycontentProductId3')]",
+ "id": "[variables('_huntingQuerycontentProductId3')]",
+ "version": "[variables('huntingQueryVersion3')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryTemplateSpecName4')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "IaaS_shadow_admin_detected_HuntingQueries Hunting Query with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('huntingQueryVersion4')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "Authomize_Hunting_Query_4",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "eTag": "*",
+ "displayName": "IaaS shadow admin detected",
+ "category": "Hunting Queries",
+ "query": "Authomize_v2_CL\n| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s\n| where Policy has \"IaaS shadow admin detected\"\n| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics\n| extend CloudApplication_0_Name = Policy\n",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": "detects shadow admin users in AWS or Azure."
+ },
+ {
+ "name": "tactics",
+ "value": "PrivilegeEscalation"
+ },
+ {
+ "name": "techniques",
+ "value": "T1089"
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId4'),'/'))))]",
+ "properties": {
+ "description": "Authomize Hunting Query 4",
+ "parentId": "[variables('huntingQueryId4')]",
+ "contentId": "[variables('_huntingQuerycontentId4')]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryVersion4')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Authomize",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Authomize",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Authomize",
+ "email": "support@authomize.com",
+ "tier": "Partner",
+ "link": "https://support.authomize.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_huntingQuerycontentId4')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "IaaS shadow admin detected",
+ "contentProductId": "[variables('_huntingQuerycontentProductId4')]",
+ "id": "[variables('_huntingQuerycontentProductId4')]",
+ "version": "[variables('huntingQueryVersion4')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryTemplateSpecName5')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Password_Exfiltration_over_SCIM_application_HuntingQueries Hunting Query with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('huntingQueryVersion5')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "Authomize_Hunting_Query_5",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "eTag": "*",
+ "displayName": "Password Exfiltration over SCIM application",
+ "category": "Hunting Queries",
+ "query": "Authomize_v2_CL\n| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s\n| where Policy has \"Password Exfiltration over SCIM\"\n| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics\n| extend CloudApplication_0_Name = Policy\n",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": "detects suspicious sync events that occurred to applications using SCIM for user provisioning."
+ },
+ {
+ "name": "tactics",
+ "value": "CredentialAccess"
+ },
+ {
+ "name": "techniques",
+ "value": "T1555,T1040,T1552,T1555.003,T1552.005"
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId5'),'/'))))]",
+ "properties": {
+ "description": "Authomize Hunting Query 5",
+ "parentId": "[variables('huntingQueryId5')]",
+ "contentId": "[variables('_huntingQuerycontentId5')]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryVersion5')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Authomize",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Authomize",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Authomize",
+ "email": "support@authomize.com",
+ "tier": "Partner",
+ "link": "https://support.authomize.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_huntingQuerycontentId5')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Password Exfiltration over SCIM application",
+ "contentProductId": "[variables('_huntingQuerycontentProductId5')]",
+ "id": "[variables('_huntingQuerycontentProductId5')]",
+ "version": "[variables('huntingQueryVersion5')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryTemplateSpecName6')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Privileged_Machines_Exposed_to_the_Internet_HuntingQueries Hunting Query with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('huntingQueryVersion6')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "Authomize_Hunting_Query_6",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "eTag": "*",
+ "displayName": "Privileged Machines Exposed to the Internet",
+ "category": "Hunting Queries",
+ "query": "Authomize_v2_CL\n| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s\n| where Policy has \"Privileged Machines Exposed to the Internet\"\n| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics\n| extend CloudApplication_0_Name = Policy\n",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": "detects AWS instances which are exposed to the internet and can assume privileged roles. This is a default definition by Authomize and can be updated using the edit model."
+ },
+ {
+ "name": "tactics",
+ "value": "Discovery"
+ },
+ {
+ "name": "techniques",
+ "value": "T1613"
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId6'),'/'))))]",
+ "properties": {
+ "description": "Authomize Hunting Query 6",
+ "parentId": "[variables('huntingQueryId6')]",
+ "contentId": "[variables('_huntingQuerycontentId6')]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryVersion6')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Authomize",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Authomize",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Authomize",
+ "email": "support@authomize.com",
+ "tier": "Partner",
+ "link": "https://support.authomize.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_huntingQuerycontentId6')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Privileged Machines Exposed to the Internet",
+ "contentProductId": "[variables('_huntingQuerycontentProductId6')]",
+ "id": "[variables('_huntingQuerycontentProductId6')]",
+ "version": "[variables('huntingQueryVersion6')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('dataConnectorTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Authomize data connector with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorVersion1')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "[variables('_uiConfigId1')]",
+ "title": "Authomize Data Connector",
+ "publisher": "Authomize",
+ "descriptionMarkdown": "The Authomize Data Connector provides the capability to ingest custom log types from Authomize into Microsoft Sentinel.",
+ "additionalRequirementBanner": "This data connector is not currently dependant on a parser. You will need to follow the steps to use the alias **Authomize_v2_CL** in queries and workbooks. [Follow steps to get this log event file](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Authomize/Data%20Connectors/readme.md)",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "Authomize_v2_CL",
+ "baseQuery": "Authomize_v2_CL"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Number of Incidents by Severity (Critical, High, Medium, Low",
+ "query": "Authomize_v2_CL\n | summarize count() by severity_s"
+ },
+ {
+ "description": "Top 10 policies and number of incidents",
+ "query": "Authomize_v2_CL\n | summarize count() by policy_name_s\n | top 10 by count_"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "Authomize_v2_CL",
+ "lastDataReceivedQuery": "Authomize_v2_CL\n | summarize TimeGenerated=max(TimeGenerated)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "Authomize_v2_CL\n | summarize LastLogReceived=max(TimeGenerated)\n | project ConnectionState=iff(LastLogReceived > ago(30d), 'Connected', 'Disconnected')"
+ ]
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Include custom pre-requisites if the connectivity requires - else delete customs",
+ "description": "Description for any custom pre-requisite"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": "Follow the setup instructions [located under Data Connectors for Authomize](https://github.com/authomize/Open-ITDR/blob/main/Open-Connectors/Platform/Azure-Sentinel/Data%20Connectors/readme.md).",
+ "title": "1. Locate your Authomize API key"
+ },
+ {
+ "description": "Follow the Instructions on [deploying the data connector to ingest data from Authomize](https://github.com/authomize/Open-ITDR/blob/main/Open-Connectors/Platform/Azure-Sentinel/Data%20Connectors/readme.md).",
+ "title": "2. Deploy the Authomize data connector using the setup instructions."
+ },
+ {
+ "description": "Validate that your script is running. Simple instructions are located under the [Authomize Data Connector area](https://github.com/authomize/Open-ITDR/blob/main/Open-Connectors/Platform/Azure-Sentinel/Data%20Connectors/readme.md).",
+ "title": "3. Finalize your setup"
+ }
+ ],
+ "metadata": {
+ "version": "1.0.0",
+ "kind": "dataConnector"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Authomize",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Authomize",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Authomize",
+ "email": "support@authomize.com",
+ "tier": "Partner",
+ "link": "https://support.authomize.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "contentKind": "DataConnector",
+ "displayName": "Authomize Data Connector",
+ "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
+ "id": "[variables('_dataConnectorcontentProductId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
+ "dependsOn": [
+ "[variables('_dataConnectorId1')]"
+ ],
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Authomize",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Authomize",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Authomize",
+ "email": "support@authomize.com",
+ "tier": "Partner",
+ "link": "https://support.authomize.com"
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "title": "Authomize Data Connector",
+ "publisher": "Authomize",
+ "descriptionMarkdown": "The Authomize Data Connector provides the capability to ingest custom log types from Authomize into Microsoft Sentinel.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "Authomize_v2_CL",
+ "baseQuery": "Authomize_v2_CL"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "Authomize_v2_CL",
+ "lastDataReceivedQuery": "Authomize_v2_CL\n | summarize TimeGenerated=max(TimeGenerated)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "Authomize_v2_CL\n | summarize LastLogReceived=max(TimeGenerated)\n | project ConnectionState=iff(LastLogReceived > ago(30d), 'Connected', 'Disconnected')"
+ ]
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Number of Incidents by Severity (Critical, High, Medium, Low",
+ "query": "Authomize_v2_CL\n | summarize count() by severity_s"
+ },
+ {
+ "description": "Top 10 policies and number of incidents",
+ "query": "Authomize_v2_CL\n | summarize count() by policy_name_s\n | top 10 by count_"
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Include custom pre-requisites if the connectivity requires - else delete customs",
+ "description": "Description for any custom pre-requisite"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": "Follow the setup instructions [located under Data Connectors for Authomize](https://github.com/authomize/Open-ITDR/blob/main/Open-Connectors/Platform/Azure-Sentinel/Data%20Connectors/readme.md).",
+ "title": "1. Locate your Authomize API key"
+ },
+ {
+ "description": "Follow the Instructions on [deploying the data connector to ingest data from Authomize](https://github.com/authomize/Open-ITDR/blob/main/Open-Connectors/Platform/Azure-Sentinel/Data%20Connectors/readme.md).",
+ "title": "2. Deploy the Authomize data connector using the setup instructions."
+ },
+ {
+ "description": "Validate that your script is running. Simple instructions are located under the [Authomize Data Connector area](https://github.com/authomize/Open-ITDR/blob/main/Open-Connectors/Platform/Azure-Sentinel/Data%20Connectors/readme.md).",
+ "title": "3. Finalize your setup"
+ }
+ ],
+ "id": "[variables('_uiConfigId1')]",
+ "additionalRequirementBanner": "This data connector is not currently dependant on a parser. You will need to follow the steps to use the alias **Authomize_v2_CL** in queries and workbooks. [Follow steps to get this log event file](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Authomize/Data%20Connectors/readme.md)"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "apiVersion": "2023-04-01-preview",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "version": "3.0.0",
+ "kind": "Solution",
+ "contentSchemaVersion": "3.0.0",
+ "displayName": "Authomize",
+ "publisherDisplayName": "Authomize",
+ "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Authomize Solution integrates Authomize with Microsoft Sentinel to monitor and analyze security events from Authomize.
\nData Connectors: 1, Workbooks: 1, Analytic Rules: 21, Hunting Queries: 6
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "",
+ "contentId": "[variables('_solutionId')]",
+ "parentId": "[variables('_solutionId')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Authomize",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Authomize",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Authomize",
+ "email": "support@authomize.com",
+ "tier": "Partner",
+ "link": "https://support.authomize.com"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "kind": "Workbook",
+ "contentId": "[variables('_workbookContentId1')]",
+ "version": "[variables('workbookVersion1')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId1')]",
+ "version": "[variables('analyticRuleVersion1')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId2')]",
+ "version": "[variables('analyticRuleVersion2')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId3')]",
+ "version": "[variables('analyticRuleVersion3')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId4')]",
+ "version": "[variables('analyticRuleVersion4')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId5')]",
+ "version": "[variables('analyticRuleVersion5')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId6')]",
+ "version": "[variables('analyticRuleVersion6')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId7')]",
+ "version": "[variables('analyticRuleVersion7')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId8')]",
+ "version": "[variables('analyticRuleVersion8')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId9')]",
+ "version": "[variables('analyticRuleVersion9')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId10')]",
+ "version": "[variables('analyticRuleVersion10')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId11')]",
+ "version": "[variables('analyticRuleVersion11')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId12')]",
+ "version": "[variables('analyticRuleVersion12')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId13')]",
+ "version": "[variables('analyticRuleVersion13')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId14')]",
+ "version": "[variables('analyticRuleVersion14')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId15')]",
+ "version": "[variables('analyticRuleVersion15')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId16')]",
+ "version": "[variables('analyticRuleVersion16')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId17')]",
+ "version": "[variables('analyticRuleVersion17')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId18')]",
+ "version": "[variables('analyticRuleVersion18')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId19')]",
+ "version": "[variables('analyticRuleVersion19')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId20')]",
+ "version": "[variables('analyticRuleVersion20')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId21')]",
+ "version": "[variables('analyticRuleVersion21')]"
+ },
+ {
+ "kind": "HuntingQuery",
+ "contentId": "[variables('_huntingQuerycontentId1')]",
+ "version": "[variables('huntingQueryVersion1')]"
+ },
+ {
+ "kind": "HuntingQuery",
+ "contentId": "[variables('_huntingQuerycontentId2')]",
+ "version": "[variables('huntingQueryVersion2')]"
+ },
+ {
+ "kind": "HuntingQuery",
+ "contentId": "[variables('_huntingQuerycontentId3')]",
+ "version": "[variables('huntingQueryVersion3')]"
+ },
+ {
+ "kind": "HuntingQuery",
+ "contentId": "[variables('_huntingQuerycontentId4')]",
+ "version": "[variables('huntingQueryVersion4')]"
+ },
+ {
+ "kind": "HuntingQuery",
+ "contentId": "[variables('_huntingQuerycontentId5')]",
+ "version": "[variables('huntingQueryVersion5')]"
+ },
+ {
+ "kind": "HuntingQuery",
+ "contentId": "[variables('_huntingQuerycontentId6')]",
+ "version": "[variables('huntingQueryVersion6')]"
+ },
+ {
+ "kind": "DataConnector",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
+ }
+ ]
+ },
+ "firstPublishDate": "2023-06-15",
+ "providers": [
+ "Authomize"
+ ],
+ "categories": {
+ "domains": [
+ "Identity",
+ "Application",
+ "Security - Insider Threat",
+ "Compliance"
+ ],
+ "verticals": [
+ "Education",
+ "Finance",
+ "Healthcare",
+ "Manufacturing",
+ "Retail"
+ ]
+ }
+ },
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
+ }
+ ],
+ "outputs": {}
+}
diff --git a/Solutions/Authomize/ReleaseNotes.md b/Solutions/Authomize/ReleaseNotes.md
new file mode 100644
index 00000000000..14aa48857e0
--- /dev/null
+++ b/Solutions/Authomize/ReleaseNotes.md
@@ -0,0 +1,3 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|---------------------------------------------|
+| 1.0.0 | 07-27-2023 | Initial solution release. |
\ No newline at end of file
diff --git a/Solutions/Authomize/SolutionMetadata.json b/Solutions/Authomize/SolutionMetadata.json
new file mode 100644
index 00000000000..3298e2ee5c7
--- /dev/null
+++ b/Solutions/Authomize/SolutionMetadata.json
@@ -0,0 +1,16 @@
+{
+ "publisherId": "authomize",
+ "offerId": "azure-sentinel-solution-authomize",
+ "firstPublishDate": "2023-06-15",
+ "providers": ["Authomize"],
+ "categories": {
+ "domains" : ["Identity","Application","Security - Insider Threat", "Compliance"],
+ "verticals": ["Education","Finance","Healthcare","Manufacturing","Retail"]
+ },
+ "support": {
+ "name": "Authomize",
+ "email": "support@authomize.com",
+ "tier": "Partner",
+ "link": "https://support.authomize.com"
+ }
+}
\ No newline at end of file
diff --git a/Solutions/Authomize/Workbooks/Authomize.json b/Solutions/Authomize/Workbooks/Authomize.json
new file mode 100644
index 00000000000..c8c6554afe9
--- /dev/null
+++ b/Solutions/Authomize/Workbooks/Authomize.json
@@ -0,0 +1,275 @@
+{
+ "version": "Notebook/1.0",
+ "items": [
+ {
+ "type": 1,
+ "content": {
+ "json": "\n![](\"https://www.authomize.com/wp-content/themes/authomize/img/automize%20logo_horizontal%20authomize%20logo%20on%20white.svg\"/)
\n\n# Authomize ITDR\n---"
+ },
+ "name": "text - 2",
+ "styleSettings": {
+ "showBorder": true
+ }
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "union withsource=_TableName Authomize_v2_CL\n| where TimeGenerated > ago(5d)\n| summarize Count=count() by TimeGenerated\n| render barchart\n",
+ "size": 1,
+ "title": "Event Processing from Authomize tenant",
+ "color": "green",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "chartSettings": {
+ "group": "TimeGenerated",
+ "createOtherGroup": null
+ }
+ },
+ "name": "Check Events"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "union withsource=_TableName Authomize_v2_CL\n| summarize Count=count() by Category",
+ "size": 0,
+ "title": "Event Category",
+ "timeContext": {
+ "durationMs": 604800000
+ },
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "areachart",
+ "tileSettings": {
+ "showBorder": false,
+ "titleContent": {
+ "columnMatch": "Category",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "auto"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "maximumSignificantDigits": 3,
+ "maximumFractionDigits": 2
+ }
+ }
+ }
+ },
+ "graphSettings": {
+ "type": 0,
+ "topContent": {
+ "columnMatch": "Category",
+ "formatter": 1
+ },
+ "centerContent": {
+ "columnMatch": "Count",
+ "formatter": 1,
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "maximumSignificantDigits": 3,
+ "maximumFractionDigits": 2
+ }
+ }
+ }
+ },
+ "mapSettings": {
+ "locInfo": "LatLong"
+ }
+ },
+ "name": "query - 7"
+ },
+ {
+ "type": 12,
+ "content": {
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "title": "Events to Process",
+ "items": [
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "union withsource=_TableName Authomize_v2_CL\n| summarize Count=count() by severity_s\n| render piechart",
+ "size": 2,
+ "title": "Events by Severity",
+ "timeContext": {
+ "durationMs": 2592000000
+ },
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "piechart",
+ "tileSettings": {
+ "showBorder": false,
+ "titleContent": {
+ "columnMatch": "severity_s",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "auto"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "maximumSignificantDigits": 3,
+ "maximumFractionDigits": 2
+ }
+ }
+ }
+ },
+ "chartSettings": {
+ "showLegend": true,
+ "ySettings": {
+ "numberFormatSettings": {
+ "unit": 0,
+ "options": {
+ "style": "decimal",
+ "useGrouping": true
+ }
+ }
+ }
+ }
+ },
+ "customWidth": "50",
+ "name": "query - 3",
+ "styleSettings": {
+ "showBorder": true
+ }
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "union withsource=_TableName Authomize_v2_CL\n| extend Policy = policy_name_s\n| extend Severity = severity_s\n| extend Description = description_s\n| extend Recommendation = recommendation_s\n| extend URL = url_s\n| extend Tactics = tactics_s\n//| where policy_name_s contains tostring(this_event)\n| project Policy, Severity, Description, Recommendation, URL, Category, Tactics",
+ "size": 2,
+ "title": "Events",
+ "timeContext": {
+ "durationMs": 259200000
+ },
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "URL",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "Url"
+ }
+ },
+ {
+ "columnMatch": "url_s",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "Url"
+ }
+ }
+ ],
+ "rowLimit": 1000
+ },
+ "sortBy": []
+ },
+ "customWidth": "50",
+ "name": "query - 6",
+ "styleSettings": {
+ "maxWidth": "50",
+ "showBorder": true
+ }
+ }
+ ]
+ },
+ "name": "EventsToProcess"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "# Select an Event Type"
+ },
+ "name": "text - 5"
+ },
+ {
+ "type": 12,
+ "content": {
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "title": "Events Grouped",
+ "items": [
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "union withsource=_TableName Authomize_v2_CL\n| extend Event_Type = policy_name_s\n| summarize Count = count() by Event_Type",
+ "size": 0,
+ "timeContext": {
+ "durationMs": 604800000
+ },
+ "exportMultipleValues": true,
+ "exportedParameters": [
+ {
+ "fieldName": "Event_Type",
+ "parameterName": "theEventType"
+ }
+ ],
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces"
+ },
+ "customWidth": "50",
+ "name": "Grouped Events",
+ "styleSettings": {
+ "maxWidth": "50"
+ }
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "let the_Event=dynamic({theEventType});\nunion withsource=_TableName Authomize_v2_CL\n| extend Severity = severity_s\n| extend Description = description_s\n| extend Recommendation = recommendation_s\n| extend URL = url_s\n| where policy_name_s contains tostring(the_Event)\n| project Severity, Description, Recommendation, URL, Category",
+ "size": 0,
+ "timeContext": {
+ "durationMs": 604800000
+ },
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "URL",
+ "formatter": 7,
+ "formatOptions": {
+ "linkTarget": "Url"
+ }
+ }
+ ]
+ }
+ },
+ "customWidth": "50",
+ "name": "query - 5",
+ "styleSettings": {
+ "maxWidth": "50"
+ }
+ }
+ ]
+ },
+ "name": "MultiSelect",
+ "styleSettings": {
+ "showBorder": true
+ }
+ }
+ ],
+ "styleSettings": {
+ "paddingStyle": "narrow",
+ "spacingStyle": "narrow"
+ },
+ "fromTemplateId": "sentinel-AuthomizeWorkbook",
+ "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
+}
\ No newline at end of file
diff --git a/Solutions/Authomize/Workbooks/Images/Preview/AuthomizeITDREventMonitoring-Black.png b/Solutions/Authomize/Workbooks/Images/Preview/AuthomizeITDREventMonitoring-Black.png
new file mode 100644
index 00000000000..a19b86bf724
Binary files /dev/null and b/Solutions/Authomize/Workbooks/Images/Preview/AuthomizeITDREventMonitoring-Black.png differ
diff --git a/Solutions/Authomize/Workbooks/Images/Preview/AuthomizeITDREventMonitoring-White.png b/Solutions/Authomize/Workbooks/Images/Preview/AuthomizeITDREventMonitoring-White.png
new file mode 100644
index 00000000000..62277bed0df
Binary files /dev/null and b/Solutions/Authomize/Workbooks/Images/Preview/AuthomizeITDREventMonitoring-White.png differ
diff --git a/Workbooks/Images/Logos/Authomize.svg b/Workbooks/Images/Logos/Authomize.svg
new file mode 100644
index 00000000000..82f8978a52c
--- /dev/null
+++ b/Workbooks/Images/Logos/Authomize.svg
@@ -0,0 +1,12 @@
+
diff --git a/Workbooks/Images/Preview/AuthomizeITDREventMonitoring-Black.png b/Workbooks/Images/Preview/AuthomizeITDREventMonitoring-Black.png
new file mode 100644
index 00000000000..a19b86bf724
Binary files /dev/null and b/Workbooks/Images/Preview/AuthomizeITDREventMonitoring-Black.png differ
diff --git a/Workbooks/Images/Preview/AuthomizeITDREventMonitoring-White.png b/Workbooks/Images/Preview/AuthomizeITDREventMonitoring-White.png
new file mode 100644
index 00000000000..62277bed0df
Binary files /dev/null and b/Workbooks/Images/Preview/AuthomizeITDREventMonitoring-White.png differ
diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json
index ddd8fb98ec1..b11844b36a2 100644
--- a/Workbooks/WorkbooksMetadata.json
+++ b/Workbooks/WorkbooksMetadata.json
@@ -6799,6 +6799,19 @@
]
}
},
+{
+ "workbookKey": "AuthomizeWorkbook",
+ "logoFileName": "Authomize.svg",
+ "description": "Manage your Authorization Security Lifecycle across all XaaS environments and Private Clouds. Using Authomize AI-based engine continuously monitor the relationships between identities and assets and gain insight into security risks and events.",
+ "dataTypesDependencies": [ "Authomize_v2_CL" ],
+ "dataConnectorsDependencies": [ "Authomize" ],
+ "previewImagesFileNames": [ "AuthomizeITDREventMonitoring-Black.png", "AuthomizeITDREventMonitoring-White.png" ],
+ "version": "1.0.0",
+ "title": "Authomize ITDR Event Monitoring for Identities",
+ "templateRelativePath": "Authomize.json",
+ "subtitle": "",
+ "provider": "Authomize"
+ },
{
"workbookKey": "GigamonConnector",
"logoFileName": "gigamon.svg",
@@ -6839,4 +6852,4 @@
"subtitle": "",
"provider": "Prancer"
}
-]
\ No newline at end of file
+]