let priv_users = JiraAudit
| where TimeGenerated > ago(14d)
| where EventMessage =~ 'User added to group'
| where ObjectItemName =~ 'site-admins'
| extend user = todynamic(AssociatedItems)[0]['name']
| summarize makeset(user);
JiraAudit
| where EventMessage =~ "User's password changed"
| extend user = todynamic(AssociatedItems)[0]['name']
| where user in (priv_users)
| extend AccountCustomEntity = user
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
query: |
let priv_users = JiraAudit
| where TimeGenerated > ago(14d)
| where EventMessage =~ 'User added to group'
| where ObjectItemName =~ 'site-admins'
| extend user = todynamic(AssociatedItems)[0]['name']
| summarize makeset(user);
JiraAudit
| where EventMessage =~ "User's password changed"
| extend user = todynamic(AssociatedItems)[0]['name']
| where user in (priv_users)
| extend AccountCustomEntity = user
status: Available
id: 6bf42891-b54d-4b4e-8533-babc5b3ea4c5
kind: Scheduled
relevantTechniques:
- T1078
requiredDataConnectors:
- connectorId: JiraAuditAPI
dataTypes:
- JiraAudit
triggerOperator: gt
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AtlassianJiraAudit/Analytic Rules/JiraPrivilegedUserPasswordChanged.yaml
description: |
'Detects new site admin user.'
triggerThreshold: 0
name: Jira - New site admin user
tactics:
- InitialAccess
queryPeriod: 14d
version: 1.0.1
queryFrequency: 1h
