Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Jira - Users password changed multiple times

Back
Id943176e8-b979-45c0-8ad3-58ba6cfd41f0
RulenameJira - User’s password changed multiple times
DescriptionDetects when user’s password was changed multiple times from different IP addresses.
SeverityHigh
TacticsPersistence
TechniquesT1078
Required data connectorsJiraAuditAPI
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AtlassianJiraAudit/Analytic Rules/JiraUserPasswordChange.yaml
Version1.0.1
Arm template943176e8-b979-45c0-8ad3-58ba6cfd41f0.json
Deploy To Azure
JiraAudit
| where EventMessage =~ "User's password changed"
| extend user = todynamic(AssociatedItems)[0]['name']
| summarize ip_list = makeset(SrcIpAddr) by tostring(user), bin(TimeGenerated, 30m)
| where array_length(ip_list) > 1
| extend AccountCustomEntity = user, IPCustomEntity = ip_list
queryFrequency: 1h
description: |
    'Detects when user's password was changed multiple times from different IP addresses.'
name: Jira - User's password changed multiple times
relevantTechniques:
- T1078
triggerThreshold: 0
status: Available
id: 943176e8-b979-45c0-8ad3-58ba6cfd41f0
requiredDataConnectors:
- dataTypes:
  - JiraAudit
  connectorId: JiraAuditAPI
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
queryPeriod: 1h
query: |
  JiraAudit
  | where EventMessage =~ "User's password changed"
  | extend user = todynamic(AssociatedItems)[0]['name']
  | summarize ip_list = makeset(SrcIpAddr) by tostring(user), bin(TimeGenerated, 30m)
  | where array_length(ip_list) > 1
  | extend AccountCustomEntity = user, IPCustomEntity = ip_list  
kind: Scheduled
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AtlassianJiraAudit/Analytic Rules/JiraUserPasswordChange.yaml
version: 1.0.1
triggerOperator: gt
tactics:
- Persistence
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/943176e8-b979-45c0-8ad3-58ba6cfd41f0')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/943176e8-b979-45c0-8ad3-58ba6cfd41f0')]",
      "properties": {
        "alertRuleTemplateName": "943176e8-b979-45c0-8ad3-58ba6cfd41f0",
        "customDetails": null,
        "description": "'Detects when user's password was changed multiple times from different IP addresses.'\n",
        "displayName": "Jira - User's password changed multiple times",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AtlassianJiraAudit/Analytic Rules/JiraUserPasswordChange.yaml",
        "query": "JiraAudit\n| where EventMessage =~ \"User's password changed\"\n| extend user = todynamic(AssociatedItems)[0]['name']\n| summarize ip_list = makeset(SrcIpAddr) by tostring(user), bin(TimeGenerated, 30m)\n| where array_length(ip_list) > 1\n| extend AccountCustomEntity = user, IPCustomEntity = ip_list\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}