Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Box - User role changed to owner

Back
Id174c31c9-22ec-42e5-8226-814391c08200
RulenameBox - User role changed to owner
DescriptionDetects when user collaboration role is changed to owner.
SeverityMedium
TacticsPrivilegeEscalation
TechniquesT1078
Required data connectorsBoxDataConnector
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Box/Analytic Rules/BoxUserRoleChangedToOwner.yaml
Version1.0.0
Arm template174c31c9-22ec-42e5-8226-814391c08200.json
Deploy To Azure
let lbperiod = 14d;
let lbtime = 1h;
BoxEvents
| where TimeGenerated between (ago(lbperiod) .. ago(lbtime))
| where EventType =~ 'COLLABORATION_INVITE'
| where AdditionalDetailsRole !~ 'Owner'
| summarize min(TimeGenerated) by AccessibleByName, FileDirectory, AdditionalDetailsRole
| project AccessibleByName, FileDirectory, InitialRole = AdditionalDetailsRole
|join (BoxEvents
          | where EventType =~ 'COLLABORATION_ROLE_CHANGE'
          | summarize max(TimeGenerated) by AccessibleByName, FileDirectory, AdditionalDetailsRole
          | project AccessibleByName, FileDirectory, NewRole = AdditionalDetailsRole
          ) on FileDirectory, AccessibleByName
| where NewRole =~ 'Owner'
| project AccessibleByName, FileDirectory
| extend AccountCustomEntity = AccessibleByName
status: Available
queryFrequency: 1h
description: |
    'Detects when user collaboration role is changed to owner.'
severity: Medium
version: 1.0.0
relevantTechniques:
- T1078
name: Box - User role changed to owner
triggerThreshold: 0
kind: Scheduled
query: |
  let lbperiod = 14d;
  let lbtime = 1h;
  BoxEvents
  | where TimeGenerated between (ago(lbperiod) .. ago(lbtime))
  | where EventType =~ 'COLLABORATION_INVITE'
  | where AdditionalDetailsRole !~ 'Owner'
  | summarize min(TimeGenerated) by AccessibleByName, FileDirectory, AdditionalDetailsRole
  | project AccessibleByName, FileDirectory, InitialRole = AdditionalDetailsRole
  |join (BoxEvents
            | where EventType =~ 'COLLABORATION_ROLE_CHANGE'
            | summarize max(TimeGenerated) by AccessibleByName, FileDirectory, AdditionalDetailsRole
            | project AccessibleByName, FileDirectory, NewRole = AdditionalDetailsRole
            ) on FileDirectory, AccessibleByName
  | where NewRole =~ 'Owner'
  | project AccessibleByName, FileDirectory
  | extend AccountCustomEntity = AccessibleByName  
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Box/Analytic Rules/BoxUserRoleChangedToOwner.yaml
requiredDataConnectors:
- connectorId: BoxDataConnector
  dataTypes:
  - BoxEvents_CL
tactics:
- PrivilegeEscalation
id: 174c31c9-22ec-42e5-8226-814391c08200
queryPeriod: 14d
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
  entityType: Account
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/174c31c9-22ec-42e5-8226-814391c08200')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/174c31c9-22ec-42e5-8226-814391c08200')]",
      "properties": {
        "alertRuleTemplateName": "174c31c9-22ec-42e5-8226-814391c08200",
        "customDetails": null,
        "description": "'Detects when user collaboration role is changed to owner.'\n",
        "displayName": "Box - User role changed to owner",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Box/Analytic Rules/BoxUserRoleChangedToOwner.yaml",
        "query": "let lbperiod = 14d;\nlet lbtime = 1h;\nBoxEvents\n| where TimeGenerated between (ago(lbperiod) .. ago(lbtime))\n| where EventType =~ 'COLLABORATION_INVITE'\n| where AdditionalDetailsRole !~ 'Owner'\n| summarize min(TimeGenerated) by AccessibleByName, FileDirectory, AdditionalDetailsRole\n| project AccessibleByName, FileDirectory, InitialRole = AdditionalDetailsRole\n|join (BoxEvents\n          | where EventType =~ 'COLLABORATION_ROLE_CHANGE'\n          | summarize max(TimeGenerated) by AccessibleByName, FileDirectory, AdditionalDetailsRole\n          | project AccessibleByName, FileDirectory, NewRole = AdditionalDetailsRole\n          ) on FileDirectory, AccessibleByName\n| where NewRole =~ 'Owner'\n| project AccessibleByName, FileDirectory\n| extend AccountCustomEntity = AccessibleByName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}