Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Non-admin guest

Non-admin guest

Back
Id9B6558C4-BA23-40AC-B95F-42F8A29A3B35
RulenameNon-admin guest
DescriptionThis query searches for guest is not an admin in Azure
SeverityLow
TacticsInitialAccess
TechniquesT1078
Required data connectorsSenservaPro
KindScheduled
Query frequency6h
Query period6h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/NonAdminGuest.yaml
Version1.0.0
Arm template9B6558C4-BA23-40AC-B95F-42F8A29A3B35.json
Deploy To Azure
SenservaPro_CL
| where ControlName_s == 'UserNonAdminGuest'

description: |
    'This query searches for guest is not an admin in Azure'
version: 1.0.0
triggerThreshold: 0
tactics:
- InitialAccess
queryPeriod: 6h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/NonAdminGuest.yaml
triggerOperator: gt
status: Available
id: 9B6558C4-BA23-40AC-B95F-42F8A29A3B35
name: Non-admin guest
queryFrequency: 6h
severity: Low
kind: Scheduled
entityMappings:
- fieldMappings:
  - columnName: ControlName_s
    identifier: Name
  - columnName: TenantId
    identifier: AadTenantId
  - columnName: TenantDisplayName_s
    identifier: DisplayName
  entityType: Account
- fieldMappings:
  - columnName: Group_s
    identifier: DistinguishedName
  entityType: SecurityGroup
- fieldMappings:
  - columnName: SourceSystem
    identifier: ResourceId
  entityType: AzureResource
relevantTechniques:
- T1078
query: |
  SenservaPro_CL
  | where ControlName_s == 'UserNonAdminGuest'  
requiredDataConnectors:
- dataTypes:
  - SenservaPro_CL
  connectorId: SenservaPro