SlackAudit - User login after deactivated

Back


Id	e6e99dcb-4dff-48d2-8012-206ca166b36b
Rulename	SlackAudit - User login after deactivated.
Description	Detects when user email linked to account changes.
Severity	Medium
Tactics	InitialAccess Persistence PrivilegeEscalation
Techniques	T1078
Required data connectors	SlackAuditAPI
Kind	Scheduled
Query frequency	1h
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserLoginAfterDeactivated.yaml
Version	1.0.0
Arm template	e6e99dcb-4dff-48d2-8012-206ca166b36b.json

KQL

let lbperiod_max_d = 14d;
let lbperiod_min_d = 1d;
let lb_time_max_h = 24h;
SlackAudit
| where TimeGenerated between (ago(lbperiod_max_d) .. (lbperiod_min_d))
| where Action =~ 'user_deactivated'
| summarize deactivation_time = max(TimeGenerated) by EntityUserEmail, EntityUserId
| project deactivation_time, EntityUserEmail, EntityUserId
| join (SlackAudit
      | where TimeGenerated > ago(lb_time_max_h)
      | where Action =~ 'user_login'
      | summarize new_login_time = max(TimeGenerated) by SrcUserEmail, SrcUserIdentity
      | project new_login_time, SrcUserEmail, EntityUserId = SrcUserIdentity) on EntityUserId
| where EntityUserEmail == SrcUserEmail
| where deactivation_time < new_login_time
| extend AccountCustomEntity = SrcUserEmail

YAML

severity: Medium
relevantTechniques:
- T1078
queryFrequency: 1h
kind: Scheduled
version: 1.0.0
name: SlackAudit - User login after deactivated.
triggerOperator: gt
description: |
    'Detects when user email linked to account changes.'
queryPeriod: 14d
query: |
  let lbperiod_max_d = 14d;
  let lbperiod_min_d = 1d;
  let lb_time_max_h = 24h;
  SlackAudit
  | where TimeGenerated between (ago(lbperiod_max_d) .. (lbperiod_min_d))
  | where Action =~ 'user_deactivated'
  | summarize deactivation_time = max(TimeGenerated) by EntityUserEmail, EntityUserId
  | project deactivation_time, EntityUserEmail, EntityUserId
  | join (SlackAudit
        | where TimeGenerated > ago(lb_time_max_h)
        | where Action =~ 'user_login'
        | summarize new_login_time = max(TimeGenerated) by SrcUserEmail, SrcUserIdentity
        | project new_login_time, SrcUserEmail, EntityUserId = SrcUserIdentity) on EntityUserId
  | where EntityUserEmail == SrcUserEmail
  | where deactivation_time < new_login_time
  | extend AccountCustomEntity = SrcUserEmail  
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
tactics:
- InitialAccess
- Persistence
- PrivilegeEscalation
status: Available
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserLoginAfterDeactivated.yaml
id: e6e99dcb-4dff-48d2-8012-206ca166b36b
requiredDataConnectors:
- dataTypes:
  - SlackAudit_CL
  connectorId: SlackAuditAPI

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e6e99dcb-4dff-48d2-8012-206ca166b36b')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e6e99dcb-4dff-48d2-8012-206ca166b36b')]",
      "properties": {
        "alertRuleTemplateName": "e6e99dcb-4dff-48d2-8012-206ca166b36b",
        "customDetails": null,
        "description": "'Detects when user email linked to account changes.'\n",
        "displayName": "SlackAudit - User login after deactivated.",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserLoginAfterDeactivated.yaml",
        "query": "let lbperiod_max_d = 14d;\nlet lbperiod_min_d = 1d;\nlet lb_time_max_h = 24h;\nSlackAudit\n| where TimeGenerated between (ago(lbperiod_max_d) .. (lbperiod_min_d))\n| where Action =~ 'user_deactivated'\n| summarize deactivation_time = max(TimeGenerated) by EntityUserEmail, EntityUserId\n| project deactivation_time, EntityUserEmail, EntityUserId\n| join (SlackAudit\n      | where TimeGenerated > ago(lb_time_max_h)\n      | where Action =~ 'user_login'\n      | summarize new_login_time = max(TimeGenerated) by SrcUserEmail, SrcUserIdentity\n      | project new_login_time, SrcUserEmail, EntityUserId = SrcUserIdentity) on EntityUserId\n| where EntityUserEmail == SrcUserEmail\n| where deactivation_time < new_login_time\n| extend AccountCustomEntity = SrcUserEmail\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess",
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}