Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Box - User role changed to owner

Box - User role changed to owner

Back
Id174c31c9-22ec-42e5-8226-814391c08200
RulenameBox - User role changed to owner
DescriptionDetects when user collaboration role is changed to owner.
SeverityMedium
TacticsPrivilegeEscalation
TechniquesT1078
Required data connectorsBoxDataConnector
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Box/Analytic Rules/BoxUserRoleChangedToOwner.yaml
Version1.0.1
Arm template174c31c9-22ec-42e5-8226-814391c08200.json
Deploy To Azure
let lbperiod = 14d;
let lbtime = 1h;
BoxEvents
| where EventEndTime between (ago(lbperiod) .. ago(lbtime))
| where EventType =~ 'COLLABORATION_INVITE'
| where AdditionalDetailsRole !~ 'Owner'
| summarize min(EventEndTime) by AccessibleByName, FileDirectory, AdditionalDetailsRole
| project AccessibleByName, FileDirectory, InitialRole = AdditionalDetailsRole
|join (BoxEvents
          | where EventType =~ 'COLLABORATION_ROLE_CHANGE'
          | summarize max(EventEndTime) by AccessibleByName, FileDirectory, AdditionalDetailsRole
          | project AccessibleByName, FileDirectory, NewRole = AdditionalDetailsRole
          ) on FileDirectory, AccessibleByName
| where NewRole =~ 'Owner'
| project AccessibleByName, FileDirectory
| extend AccountCustomEntity = AccessibleByName

status: Available
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
query: |
  let lbperiod = 14d;
  let lbtime = 1h;
  BoxEvents
  | where EventEndTime between (ago(lbperiod) .. ago(lbtime))
  | where EventType =~ 'COLLABORATION_INVITE'
  | where AdditionalDetailsRole !~ 'Owner'
  | summarize min(EventEndTime) by AccessibleByName, FileDirectory, AdditionalDetailsRole
  | project AccessibleByName, FileDirectory, InitialRole = AdditionalDetailsRole
  |join (BoxEvents
            | where EventType =~ 'COLLABORATION_ROLE_CHANGE'
            | summarize max(EventEndTime) by AccessibleByName, FileDirectory, AdditionalDetailsRole
            | project AccessibleByName, FileDirectory, NewRole = AdditionalDetailsRole
            ) on FileDirectory, AccessibleByName
  | where NewRole =~ 'Owner'
  | project AccessibleByName, FileDirectory
  | extend AccountCustomEntity = AccessibleByName  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Box/Analytic Rules/BoxUserRoleChangedToOwner.yaml
tactics:
- PrivilegeEscalation
triggerThreshold: 0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
requiredDataConnectors:
- connectorId: BoxDataConnector
  dataTypes:
  - BoxEvents_CL
kind: Scheduled
relevantTechniques:
- T1078
description: |
    'Detects when user collaboration role is changed to owner.'
name: Box - User role changed to owner
version: 1.0.1
id: 174c31c9-22ec-42e5-8226-814391c08200
severity: Medium