SlackAudit - User login after deactivated

Back


Id	e6e99dcb-4dff-48d2-8012-206ca166b36b
Rulename	SlackAudit - User login after deactivated.
Description	Detects when user email linked to account changes.
Severity	Medium
Tactics	InitialAccess Persistence PrivilegeEscalation
Techniques	T1078
Required data connectors	SlackAuditAPI
Kind	Scheduled
Query frequency	1h
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserLoginAfterDeactivated.yaml
Version	1.0.0
Arm template	e6e99dcb-4dff-48d2-8012-206ca166b36b.json

KQL

let lbperiod_max_d = 14d;
let lbperiod_min_d = 1d;
let lb_time_max_h = 24h;
SlackAudit
| where TimeGenerated between (ago(lbperiod_max_d) .. (lbperiod_min_d))
| where Action =~ 'user_deactivated'
| summarize deactivation_time = max(TimeGenerated) by EntityUserEmail, EntityUserId
| project deactivation_time, EntityUserEmail, EntityUserId
| join (SlackAudit
      | where TimeGenerated > ago(lb_time_max_h)
      | where Action =~ 'user_login'
      | summarize new_login_time = max(TimeGenerated) by SrcUserEmail, SrcUserIdentity
      | project new_login_time, SrcUserEmail, EntityUserId = SrcUserIdentity) on EntityUserId
| where EntityUserEmail == SrcUserEmail
| where deactivation_time < new_login_time
| extend AccountCustomEntity = SrcUserEmail

YAML

triggerOperator: gt
queryFrequency: 1h
description: |
    'Detects when user email linked to account changes.'
status: Available
kind: Scheduled
triggerThreshold: 0
requiredDataConnectors:
- connectorId: SlackAuditAPI
  dataTypes:
  - SlackAudit_CL
version: 1.0.0
queryPeriod: 14d
name: SlackAudit - User login after deactivated.
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserLoginAfterDeactivated.yaml
id: e6e99dcb-4dff-48d2-8012-206ca166b36b
tactics:
- InitialAccess
- Persistence
- PrivilegeEscalation
relevantTechniques:
- T1078
severity: Medium
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
  entityType: Account
query: |
  let lbperiod_max_d = 14d;
  let lbperiod_min_d = 1d;
  let lb_time_max_h = 24h;
  SlackAudit
  | where TimeGenerated between (ago(lbperiod_max_d) .. (lbperiod_min_d))
  | where Action =~ 'user_deactivated'
  | summarize deactivation_time = max(TimeGenerated) by EntityUserEmail, EntityUserId
  | project deactivation_time, EntityUserEmail, EntityUserId
  | join (SlackAudit
        | where TimeGenerated > ago(lb_time_max_h)
        | where Action =~ 'user_login'
        | summarize new_login_time = max(TimeGenerated) by SrcUserEmail, SrcUserIdentity
        | project new_login_time, SrcUserEmail, EntityUserId = SrcUserIdentity) on EntityUserId
  | where EntityUserEmail == SrcUserEmail
  | where deactivation_time < new_login_time
  | extend AccountCustomEntity = SrcUserEmail

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e6e99dcb-4dff-48d2-8012-206ca166b36b')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e6e99dcb-4dff-48d2-8012-206ca166b36b')]",
      "properties": {
        "alertRuleTemplateName": "e6e99dcb-4dff-48d2-8012-206ca166b36b",
        "customDetails": null,
        "description": "'Detects when user email linked to account changes.'\n",
        "displayName": "SlackAudit - User login after deactivated.",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserLoginAfterDeactivated.yaml",
        "query": "let lbperiod_max_d = 14d;\nlet lbperiod_min_d = 1d;\nlet lb_time_max_h = 24h;\nSlackAudit\n| where TimeGenerated between (ago(lbperiod_max_d) .. (lbperiod_min_d))\n| where Action =~ 'user_deactivated'\n| summarize deactivation_time = max(TimeGenerated) by EntityUserEmail, EntityUserId\n| project deactivation_time, EntityUserEmail, EntityUserId\n| join (SlackAudit\n      | where TimeGenerated > ago(lb_time_max_h)\n      | where Action =~ 'user_login'\n      | summarize new_login_time = max(TimeGenerated) by SrcUserEmail, SrcUserIdentity\n      | project new_login_time, SrcUserEmail, EntityUserId = SrcUserIdentity) on EntityUserId\n| where EntityUserEmail == SrcUserEmail\n| where deactivation_time < new_login_time\n| extend AccountCustomEntity = SrcUserEmail\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess",
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}