let priv_users = JiraAudit
| where TimeGenerated > ago(14d)
| where EventMessage =~ 'User added to group'
| where ObjectItemName =~ 'site-admins'
| extend user = todynamic(AssociatedItems)[0]['name']
| summarize makeset(user);
JiraAudit
| where EventMessage =~ "User's password changed"
| extend user = todynamic(AssociatedItems)[0]['name']
| where user in (priv_users)
| extend AccountCustomEntity = user
triggerOperator: gt
tactics:
- InitialAccess
triggerThreshold: 0
kind: Scheduled
description: |
'Detects new site admin user.'
severity: High
id: 6bf42891-b54d-4b4e-8533-babc5b3ea4c5
requiredDataConnectors:
- connectorId: JiraAuditAPI
dataTypes:
- JiraAudit
query: |
let priv_users = JiraAudit
| where TimeGenerated > ago(14d)
| where EventMessage =~ 'User added to group'
| where ObjectItemName =~ 'site-admins'
| extend user = todynamic(AssociatedItems)[0]['name']
| summarize makeset(user);
JiraAudit
| where EventMessage =~ "User's password changed"
| extend user = todynamic(AssociatedItems)[0]['name']
| where user in (priv_users)
| extend AccountCustomEntity = user
version: 1.0.1
status: Available
entityMappings:
- entityType: Account
fieldMappings:
- columnName: AccountCustomEntity
identifier: Name
name: Jira - New site admin user
queryPeriod: 14d
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AtlassianJiraAudit/Analytic Rules/JiraPrivilegedUserPasswordChanged.yaml
relevantTechniques:
- T1078
