let priv_users = JiraAudit
| where TimeGenerated > ago(14d)
| where EventMessage =~ 'User added to group'
| where ObjectItemName =~ 'site-admins'
| extend user = todynamic(AssociatedItems)[0]['name']
| summarize makeset(user);
JiraAudit
| where EventMessage =~ "User's password changed"
| extend user = todynamic(AssociatedItems)[0]['name']
| where user in (priv_users)
| extend AccountCustomEntity = user
query: |
let priv_users = JiraAudit
| where TimeGenerated > ago(14d)
| where EventMessage =~ 'User added to group'
| where ObjectItemName =~ 'site-admins'
| extend user = todynamic(AssociatedItems)[0]['name']
| summarize makeset(user);
JiraAudit
| where EventMessage =~ "User's password changed"
| extend user = todynamic(AssociatedItems)[0]['name']
| where user in (priv_users)
| extend AccountCustomEntity = user
entityMappings:
- fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
entityType: Account
triggerOperator: gt
description: |
'Detects new site admin user.'
tactics:
- InitialAccess
severity: High
queryFrequency: 1h
kind: Scheduled
name: Jira - New site admin user
triggerThreshold: 0
status: Available
id: 6bf42891-b54d-4b4e-8533-babc5b3ea4c5
requiredDataConnectors:
- connectorId: JiraAuditAPI
dataTypes:
- JiraAudit
relevantTechniques:
- T1078
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AtlassianJiraAudit/Analytic Rules/JiraPrivilegedUserPasswordChanged.yaml
queryPeriod: 14d
