Jira - New site admin user

Back


Id	b894593a-2b4c-4573-bc47-78715224a6f5
Rulename	Jira - New site admin user
Description	Detects new site admin user.
Severity	High
Tactics	Persistence PrivilegeEscalation
Techniques	T1078
Required data connectors	JiraAuditAPI
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AtlassianJiraAudit/Analytic Rules/JiraNewPrivilegedUser.yaml
Version	1.0.1
Arm template	b894593a-2b4c-4573-bc47-78715224a6f5.json

KQL

JiraAudit
| where EventMessage =~ 'User added to group'
| where ObjectItemName =~ 'site-admins'
| extend user = todynamic(AssociatedItems)[0]['name']
| extend AccountCustomEntity = user

YAML

description: |
    'Detects new site admin user.'
kind: Scheduled
tactics:
- Persistence
- PrivilegeEscalation
requiredDataConnectors:
- connectorId: JiraAuditAPI
  dataTypes:
  - JiraAudit
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AtlassianJiraAudit/Analytic Rules/JiraNewPrivilegedUser.yaml
severity: High
name: Jira - New site admin user
triggerThreshold: 0
queryPeriod: 1h
query: |
  JiraAudit
  | where EventMessage =~ 'User added to group'
  | where ObjectItemName =~ 'site-admins'
  | extend user = todynamic(AssociatedItems)[0]['name']
  | extend AccountCustomEntity = user  
relevantTechniques:
- T1078
id: b894593a-2b4c-4573-bc47-78715224a6f5
queryFrequency: 1h
status: Available
triggerOperator: gt
version: 1.0.1
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name

ARM