Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

SlackAudit - User email linked to account changed

Back
Id9d85feb3-7f54-4181-b143-68abb1a86823
RulenameSlackAudit - User email linked to account changed.
DescriptionDetects when user email linked to account changes.
SeverityMedium
TacticsInitialAccess
TechniquesT1078
Required data connectorsSlackAuditAPI
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserEmailChanged.yaml
Version1.0.0
Arm template9d85feb3-7f54-4181-b143-68abb1a86823.json
Deploy To Azure
SlackAudit
| where TimeGenerated between (ago(14d) .. (1d))
| summarize max(TimeGenerated) by SrcUserName, SrcUserEmail
| join (SlackAudit 
      | where Action =~ 'user_login'
      | project SrcIpAddr, SrcUserName, NewUserEmail = SrcUserEmail) on SrcUserName
| where NewUserEmail != SrcUserEmail
| extend AccountCustomEntity = SrcUserName
| extend IPCustomEntity = SrcIpAddr
queryFrequency: 1h
description: |
    'Detects when user email linked to account changes.'
name: SlackAudit - User email linked to account changed.
relevantTechniques:
- T1078
triggerThreshold: 0
status: Available
id: 9d85feb3-7f54-4181-b143-68abb1a86823
requiredDataConnectors:
- dataTypes:
  - SlackAudit_CL
  connectorId: SlackAuditAPI
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
queryPeriod: 14d
query: |
  SlackAudit
  | where TimeGenerated between (ago(14d) .. (1d))
  | summarize max(TimeGenerated) by SrcUserName, SrcUserEmail
  | join (SlackAudit 
        | where Action =~ 'user_login'
        | project SrcIpAddr, SrcUserName, NewUserEmail = SrcUserEmail) on SrcUserName
  | where NewUserEmail != SrcUserEmail
  | extend AccountCustomEntity = SrcUserName
  | extend IPCustomEntity = SrcIpAddr  
kind: Scheduled
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserEmailChanged.yaml
version: 1.0.0
triggerOperator: gt
tactics:
- InitialAccess
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9d85feb3-7f54-4181-b143-68abb1a86823')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9d85feb3-7f54-4181-b143-68abb1a86823')]",
      "properties": {
        "alertRuleTemplateName": "9d85feb3-7f54-4181-b143-68abb1a86823",
        "customDetails": null,
        "description": "'Detects when user email linked to account changes.'\n",
        "displayName": "SlackAudit - User email linked to account changed.",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserEmailChanged.yaml",
        "query": "SlackAudit\n| where TimeGenerated between (ago(14d) .. (1d))\n| summarize max(TimeGenerated) by SrcUserName, SrcUserEmail\n| join (SlackAudit \n      | where Action =~ 'user_login'\n      | project SrcIpAddr, SrcUserName, NewUserEmail = SrcUserEmail) on SrcUserName\n| where NewUserEmail != SrcUserEmail\n| extend AccountCustomEntity = SrcUserName\n| extend IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}