Jira - New site admin user

Back


Id	b894593a-2b4c-4573-bc47-78715224a6f5
Rulename	Jira - New site admin user
Description	Detects new site admin user.
Severity	High
Tactics	Persistence PrivilegeEscalation
Techniques	T1078
Required data connectors	JiraAuditAPI
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AtlassianJiraAudit/Analytic Rules/JiraNewPrivilegedUser.yaml
Version	1.0.1
Arm template	b894593a-2b4c-4573-bc47-78715224a6f5.json

KQL

JiraAudit
| where EventMessage =~ 'User added to group'
| where ObjectItemName =~ 'site-admins'
| extend user = todynamic(AssociatedItems)[0]['name']
| extend AccountCustomEntity = user

YAML

relevantTechniques:
- T1078
name: Jira - New site admin user
requiredDataConnectors:
- dataTypes:
  - JiraAudit
  connectorId: JiraAuditAPI
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
triggerThreshold: 0
id: b894593a-2b4c-4573-bc47-78715224a6f5
tactics:
- Persistence
- PrivilegeEscalation
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AtlassianJiraAudit/Analytic Rules/JiraNewPrivilegedUser.yaml
queryPeriod: 1h
kind: Scheduled
queryFrequency: 1h
severity: High
status: Available
description: |
    'Detects new site admin user.'
query: |
  JiraAudit
  | where EventMessage =~ 'User added to group'
  | where ObjectItemName =~ 'site-admins'
  | extend user = todynamic(AssociatedItems)[0]['name']
  | extend AccountCustomEntity = user  
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b894593a-2b4c-4573-bc47-78715224a6f5')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b894593a-2b4c-4573-bc47-78715224a6f5')]",
      "properties": {
        "alertRuleTemplateName": "b894593a-2b4c-4573-bc47-78715224a6f5",
        "customDetails": null,
        "description": "'Detects new site admin user.'\n",
        "displayName": "Jira - New site admin user",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AtlassianJiraAudit/Analytic Rules/JiraNewPrivilegedUser.yaml",
        "query": "JiraAudit\n| where EventMessage =~ 'User added to group'\n| where ObjectItemName =~ 'site-admins'\n| extend user = todynamic(AssociatedItems)[0]['name']\n| extend AccountCustomEntity = user\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}