Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Non-admin guest

Non-admin guest

Back
Id9B6558C4-BA23-40AC-B95F-42F8A29A3B35
RulenameNon-admin guest
DescriptionThis query searches for guest is not an admin in Azure
SeverityLow
TacticsInitialAccess
TechniquesT1078
Required data connectorsSenservaPro
KindScheduled
Query frequency6h
Query period6h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/NonAdminGuest.yaml
Version1.0.0
Arm template9B6558C4-BA23-40AC-B95F-42F8A29A3B35.json
Deploy To Azure
SenservaPro_CL
| where ControlName_s == 'UserNonAdminGuest'

triggerOperator: gt
queryFrequency: 6h
requiredDataConnectors:
- connectorId: SenservaPro
  dataTypes:
  - SenservaPro_CL
relevantTechniques:
- T1078
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: ControlName_s
  - identifier: AadTenantId
    columnName: TenantId
  - identifier: DisplayName
    columnName: TenantDisplayName_s
- entityType: SecurityGroup
  fieldMappings:
  - identifier: DistinguishedName
    columnName: Group_s
- entityType: AzureResource
  fieldMappings:
  - identifier: ResourceId
    columnName: SourceSystem
query: |
  SenservaPro_CL
  | where ControlName_s == 'UserNonAdminGuest'  
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/NonAdminGuest.yaml
queryPeriod: 6h
name: Non-admin guest
status: Available
kind: Scheduled
description: |
    'This query searches for guest is not an admin in Azure'
id: 9B6558C4-BA23-40AC-B95F-42F8A29A3B35
version: 1.0.0
tactics:
- InitialAccess
severity: Low