Admin SaaS account detected
| Id | 87419138-d75f-450d-aca4-1dc802e32540 |
| Rulename | Admin SaaS account detected |
| Description | The rule detects internal admins accounts, it’s recommended to review any new administrative permission. |
| Severity | Low |
| Tactics | InitialAccess PrivilegeEscalation |
| Techniques | T1078 T1078 |
| Required data connectors | Authomize |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 30m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/Admin_SaaS_account_detected.yaml |
| Version | 1.0.2 |
| Arm template | 87419138-d75f-450d-aca4-1dc802e32540.json |
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Admin SaaS account detected"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
relevantTechniques:
- T1078
- T1078
entityMappings:
- entityType: URL
fieldMappings:
- columnName: URL
identifier: Url
eventGroupingSettings:
aggregationKind: SingleAlert
version: 1.0.2
suppressionEnabled: false
id: 87419138-d75f-450d-aca4-1dc802e32540
suppressionDuration: 5h
severity: Low
kind: Scheduled
queryFrequency: 30m
description: The rule detects internal admins accounts, it's recommended to review any new administrative permission.
requiredDataConnectors:
- connectorId: Authomize
dataTypes:
- Authomize_v2_CL
triggerOperator: gt
name: Admin SaaS account detected
tactics:
- InitialAccess
- PrivilegeEscalation
alertDetailsOverride:
alertnameFormat: Alert from Authomize - Admin SaaS account detected
alertTactics: Tactics
alertSeverity: Severity
alertDescriptionFormat: Admin SaaS account detected. The policy detects internal admins accounts, it's recommended to review any new administrative permission.
alertDynamicProperties:
- value: URL
alertProperty: AlertLink
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/Admin_SaaS_account_detected.yaml
triggerThreshold: 0
queryPeriod: 30m
query: |-
Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "Admin SaaS account detected"
| project EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics
status: Available
customDetails:
ReferencedURL: URL
EventDescription: Description
EventRecommendation: Recommendation
AuthomizeEventID: EventID
EventName: Policy
incidentConfiguration:
createIncident: true
groupingConfiguration:
matchingMethod: AnyAlert
groupByEntities: []
groupByCustomDetails: []
groupByAlertDetails: []
reopenClosedIncident: false
enabled: true
lookbackDuration: 5h