Box - User role changed to owner

Back


Id	174c31c9-22ec-42e5-8226-814391c08200
Rulename	Box - User role changed to owner
Description	Detects when user collaboration role is changed to owner.
Severity	Medium
Tactics	PrivilegeEscalation
Techniques	T1078
Required data connectors	BoxDataConnector
Kind	Scheduled
Query frequency	1h
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Box/Analytic Rules/BoxUserRoleChangedToOwner.yaml
Version	1.0.0
Arm template	174c31c9-22ec-42e5-8226-814391c08200.json

KQL

let lbperiod = 14d;
let lbtime = 1h;
BoxEvents
| where TimeGenerated between (ago(lbperiod) .. ago(lbtime))
| where EventType =~ 'COLLABORATION_INVITE'
| where AdditionalDetailsRole !~ 'Owner'
| summarize min(TimeGenerated) by AccessibleByName, FileDirectory, AdditionalDetailsRole
| project AccessibleByName, FileDirectory, InitialRole = AdditionalDetailsRole
|join (BoxEvents
          | where EventType =~ 'COLLABORATION_ROLE_CHANGE'
          | summarize max(TimeGenerated) by AccessibleByName, FileDirectory, AdditionalDetailsRole
          | project AccessibleByName, FileDirectory, NewRole = AdditionalDetailsRole
          ) on FileDirectory, AccessibleByName
| where NewRole =~ 'Owner'
| project AccessibleByName, FileDirectory
| extend AccountCustomEntity = AccessibleByName

YAML

tactics:
- PrivilegeEscalation
severity: Medium
requiredDataConnectors:
- connectorId: BoxDataConnector
  dataTypes:
  - BoxEvents_CL
triggerOperator: gt
query: |
  let lbperiod = 14d;
  let lbtime = 1h;
  BoxEvents
  | where TimeGenerated between (ago(lbperiod) .. ago(lbtime))
  | where EventType =~ 'COLLABORATION_INVITE'
  | where AdditionalDetailsRole !~ 'Owner'
  | summarize min(TimeGenerated) by AccessibleByName, FileDirectory, AdditionalDetailsRole
  | project AccessibleByName, FileDirectory, InitialRole = AdditionalDetailsRole
  |join (BoxEvents
            | where EventType =~ 'COLLABORATION_ROLE_CHANGE'
            | summarize max(TimeGenerated) by AccessibleByName, FileDirectory, AdditionalDetailsRole
            | project AccessibleByName, FileDirectory, NewRole = AdditionalDetailsRole
            ) on FileDirectory, AccessibleByName
  | where NewRole =~ 'Owner'
  | project AccessibleByName, FileDirectory
  | extend AccountCustomEntity = AccessibleByName  
triggerThreshold: 0
name: Box - User role changed to owner
kind: Scheduled
version: 1.0.0
relevantTechniques:
- T1078
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Box/Analytic Rules/BoxUserRoleChangedToOwner.yaml
description: |
    'Detects when user collaboration role is changed to owner.'
status: Available
queryFrequency: 1h
queryPeriod: 14d
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
id: 174c31c9-22ec-42e5-8226-814391c08200

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/174c31c9-22ec-42e5-8226-814391c08200')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/174c31c9-22ec-42e5-8226-814391c08200')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Box - User role changed to owner",
        "description": "'Detects when user collaboration role is changed to owner.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let lbperiod = 14d;\nlet lbtime = 1h;\nBoxEvents\n| where TimeGenerated between (ago(lbperiod) .. ago(lbtime))\n| where EventType =~ 'COLLABORATION_INVITE'\n| where AdditionalDetailsRole !~ 'Owner'\n| summarize min(TimeGenerated) by AccessibleByName, FileDirectory, AdditionalDetailsRole\n| project AccessibleByName, FileDirectory, InitialRole = AdditionalDetailsRole\n|join (BoxEvents\n          | where EventType =~ 'COLLABORATION_ROLE_CHANGE'\n          | summarize max(TimeGenerated) by AccessibleByName, FileDirectory, AdditionalDetailsRole\n          | project AccessibleByName, FileDirectory, NewRole = AdditionalDetailsRole\n          ) on FileDirectory, AccessibleByName\n| where NewRole =~ 'Owner'\n| project AccessibleByName, FileDirectory\n| extend AccountCustomEntity = AccessibleByName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078"
        ],
        "alertRuleTemplateName": "174c31c9-22ec-42e5-8226-814391c08200",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ],
            "entityType": "Account"
          }
        ],
        "status": "Available",
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Box/Analytic Rules/BoxUserRoleChangedToOwner.yaml"
      }
    }
  ]
}