Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Non-admin guest

Non-admin guest

Back
Id9B6558C4-BA23-40AC-B95F-42F8A29A3B35
RulenameNon-admin guest
DescriptionThis query searches for guest is not an admin in Azure
SeverityLow
TacticsInitialAccess
TechniquesT1078
Required data connectorsSenservaPro
KindScheduled
Query frequency6h
Query period6h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/NonAdminGuest.yaml
Version1.0.0
Arm template9B6558C4-BA23-40AC-B95F-42F8A29A3B35.json
Deploy To Azure
SenservaPro_CL
| where ControlName_s == 'UserNonAdminGuest'

query: |
  SenservaPro_CL
  | where ControlName_s == 'UserNonAdminGuest'  
version: 1.0.0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/NonAdminGuest.yaml
status: Available
description: |
    'This query searches for guest is not an admin in Azure'
queryFrequency: 6h
name: Non-admin guest
kind: Scheduled
triggerThreshold: 0
id: 9B6558C4-BA23-40AC-B95F-42F8A29A3B35
requiredDataConnectors:
- connectorId: SenservaPro
  dataTypes:
  - SenservaPro_CL
severity: Low
queryPeriod: 6h
entityMappings:
- fieldMappings:
  - columnName: ControlName_s
    identifier: Name
  - columnName: TenantId
    identifier: AadTenantId
  - columnName: TenantDisplayName_s
    identifier: DisplayName
  entityType: Account
- fieldMappings:
  - columnName: Group_s
    identifier: DistinguishedName
  entityType: SecurityGroup
- fieldMappings:
  - columnName: SourceSystem
    identifier: ResourceId
  entityType: AzureResource
relevantTechniques:
- T1078
tactics:
- InitialAccess