let priv_users = JiraAudit
| where TimeGenerated > ago(14d)
| where EventMessage =~ 'User added to group'
| where ObjectItemName =~ 'site-admins'
| extend user = todynamic(AssociatedItems)[0]['name']
| summarize makeset(user);
JiraAudit
| where EventMessage =~ "User's password changed"
| extend user = todynamic(AssociatedItems)[0]['name']
| where user in (priv_users)
| extend AccountCustomEntity = user
description: |
'Detects new site admin user.'
version: 1.0.1
triggerThreshold: 0
tactics:
- InitialAccess
queryPeriod: 14d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AtlassianJiraAudit/Analytic Rules/JiraPrivilegedUserPasswordChanged.yaml
triggerOperator: gt
status: Available
id: 6bf42891-b54d-4b4e-8533-babc5b3ea4c5
name: Jira - New site admin user
queryFrequency: 1h
severity: High
kind: Scheduled
entityMappings:
- fieldMappings:
- columnName: AccountCustomEntity
identifier: Name
entityType: Account
relevantTechniques:
- T1078
query: |
let priv_users = JiraAudit
| where TimeGenerated > ago(14d)
| where EventMessage =~ 'User added to group'
| where ObjectItemName =~ 'site-admins'
| extend user = todynamic(AssociatedItems)[0]['name']
| summarize makeset(user);
JiraAudit
| where EventMessage =~ "User's password changed"
| extend user = todynamic(AssociatedItems)[0]['name']
| where user in (priv_users)
| extend AccountCustomEntity = user
requiredDataConnectors:
- dataTypes:
- JiraAudit
connectorId: JiraAuditAPI
