Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Non-admin guest

Non-admin guest

Back
Id9B6558C4-BA23-40AC-B95F-42F8A29A3B35
RulenameNon-admin guest
DescriptionThis query searches for guest is not an admin in Azure
SeverityLow
TacticsInitialAccess
TechniquesT1078
Required data connectorsSenservaPro
KindScheduled
Query frequency6h
Query period6h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/NonAdminGuest.yaml
Version1.0.0
Arm template9B6558C4-BA23-40AC-B95F-42F8A29A3B35.json
Deploy To Azure
SenservaPro_CL
| where ControlName_s == 'UserNonAdminGuest'

relevantTechniques:
- T1078
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: ControlName_s
    identifier: Name
  - columnName: TenantId
    identifier: AadTenantId
  - columnName: TenantDisplayName_s
    identifier: DisplayName
- entityType: SecurityGroup
  fieldMappings:
  - columnName: Group_s
    identifier: DistinguishedName
- entityType: AzureResource
  fieldMappings:
  - columnName: SourceSystem
    identifier: ResourceId
version: 1.0.0
id: 9B6558C4-BA23-40AC-B95F-42F8A29A3B35
severity: Low
kind: Scheduled
queryFrequency: 6h
description: |
    'This query searches for guest is not an admin in Azure'
requiredDataConnectors:
- connectorId: SenservaPro
  dataTypes:
  - SenservaPro_CL
triggerOperator: gt
name: Non-admin guest
tactics:
- InitialAccess
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SenservaPro/Analytic Rules/NonAdminGuest.yaml
triggerThreshold: 0
queryPeriod: 6h
query: |
  SenservaPro_CL
  | where ControlName_s == 'UserNonAdminGuest'  
status: Available