Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Box - User role changed to owner

Back
Id174c31c9-22ec-42e5-8226-814391c08200
RulenameBox - User role changed to owner
DescriptionDetects when user collaboration role is changed to owner.
SeverityMedium
TacticsPrivilegeEscalation
TechniquesT1078
Required data connectorsBoxDataConnector
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Box/Analytic Rules/BoxUserRoleChangedToOwner.yaml
Version1.0.0
Arm template174c31c9-22ec-42e5-8226-814391c08200.json
Deploy To Azure
let lbperiod = 14d;
let lbtime = 1h;
BoxEvents
| where TimeGenerated between (ago(lbperiod) .. ago(lbtime))
| where EventType =~ 'COLLABORATION_INVITE'
| where AdditionalDetailsRole !~ 'Owner'
| summarize min(TimeGenerated) by AccessibleByName, FileDirectory, AdditionalDetailsRole
| project AccessibleByName, FileDirectory, InitialRole = AdditionalDetailsRole
|join (BoxEvents
          | where EventType =~ 'COLLABORATION_ROLE_CHANGE'
          | summarize max(TimeGenerated) by AccessibleByName, FileDirectory, AdditionalDetailsRole
          | project AccessibleByName, FileDirectory, NewRole = AdditionalDetailsRole
          ) on FileDirectory, AccessibleByName
| where NewRole =~ 'Owner'
| project AccessibleByName, FileDirectory
| extend AccountCustomEntity = AccessibleByName
status: Available
id: 174c31c9-22ec-42e5-8226-814391c08200
name: Box - User role changed to owner
requiredDataConnectors:
- connectorId: BoxDataConnector
  dataTypes:
  - BoxEvents_CL
severity: Medium
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Box/Analytic Rules/BoxUserRoleChangedToOwner.yaml
kind: Scheduled
description: |
    'Detects when user collaboration role is changed to owner.'
relevantTechniques:
- T1078
queryPeriod: 14d
triggerOperator: gt
queryFrequency: 1h
query: |
  let lbperiod = 14d;
  let lbtime = 1h;
  BoxEvents
  | where TimeGenerated between (ago(lbperiod) .. ago(lbtime))
  | where EventType =~ 'COLLABORATION_INVITE'
  | where AdditionalDetailsRole !~ 'Owner'
  | summarize min(TimeGenerated) by AccessibleByName, FileDirectory, AdditionalDetailsRole
  | project AccessibleByName, FileDirectory, InitialRole = AdditionalDetailsRole
  |join (BoxEvents
            | where EventType =~ 'COLLABORATION_ROLE_CHANGE'
            | summarize max(TimeGenerated) by AccessibleByName, FileDirectory, AdditionalDetailsRole
            | project AccessibleByName, FileDirectory, NewRole = AdditionalDetailsRole
            ) on FileDirectory, AccessibleByName
  | where NewRole =~ 'Owner'
  | project AccessibleByName, FileDirectory
  | extend AccountCustomEntity = AccessibleByName  
version: 1.0.0
tactics:
- PrivilegeEscalation
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
  entityType: Account
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/174c31c9-22ec-42e5-8226-814391c08200')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/174c31c9-22ec-42e5-8226-814391c08200')]",
      "properties": {
        "alertRuleTemplateName": "174c31c9-22ec-42e5-8226-814391c08200",
        "customDetails": null,
        "description": "'Detects when user collaboration role is changed to owner.'\n",
        "displayName": "Box - User role changed to owner",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Box/Analytic Rules/BoxUserRoleChangedToOwner.yaml",
        "query": "let lbperiod = 14d;\nlet lbtime = 1h;\nBoxEvents\n| where TimeGenerated between (ago(lbperiod) .. ago(lbtime))\n| where EventType =~ 'COLLABORATION_INVITE'\n| where AdditionalDetailsRole !~ 'Owner'\n| summarize min(TimeGenerated) by AccessibleByName, FileDirectory, AdditionalDetailsRole\n| project AccessibleByName, FileDirectory, InitialRole = AdditionalDetailsRole\n|join (BoxEvents\n          | where EventType =~ 'COLLABORATION_ROLE_CHANGE'\n          | summarize max(TimeGenerated) by AccessibleByName, FileDirectory, AdditionalDetailsRole\n          | project AccessibleByName, FileDirectory, NewRole = AdditionalDetailsRole\n          ) on FileDirectory, AccessibleByName\n| where NewRole =~ 'Owner'\n| project AccessibleByName, FileDirectory\n| extend AccountCustomEntity = AccessibleByName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}