Bitglass - New admin user

Bitglass
| where EventType =~ 'admin'
| where EventResultDetails has_all ('User', 'Promoted to administrator')
| extend AccountCustomEntity = User

id: 8c8602e6-315d-400f-9d1e-23bbdee1dbfe
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Bitglass/Analytic Rules/BitglassNewAdminUser.yaml
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
requiredDataConnectors:
- dataTypes:
  - Bitglass
  connectorId: Bitglass
queryFrequency: 1h
queryPeriod: 1h
status: Available
query: |
  Bitglass
  | where EventType =~ 'admin'
  | where EventResultDetails has_all ('User', 'Promoted to administrator')
  | extend AccountCustomEntity = User  
name: Bitglass - New admin user
kind: Scheduled
tactics:
- PrivilegeEscalation
severity: Medium
relevantTechniques:
- T1078
triggerThreshold: 0
version: 1.0.0
description: |
    'Detects new admin user.'