Jira - New site admin user
| Id | b894593a-2b4c-4573-bc47-78715224a6f5 |
| Rulename | Jira - New site admin user |
| Description | Detects new site admin user. |
| Severity | High |
| Tactics | Persistence PrivilegeEscalation |
| Techniques | T1078 |
| Required data connectors | JiraAuditAPI |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AtlassianJiraAudit/Analytic Rules/JiraNewPrivilegedUser.yaml |
| Version | 1.0.1 |
| Arm template | b894593a-2b4c-4573-bc47-78715224a6f5.json |
JiraAudit
| where EventMessage =~ 'User added to group'
| where ObjectItemName =~ 'site-admins'
| extend user = todynamic(AssociatedItems)[0]['name']
| extend AccountCustomEntity = user
relevantTechniques:
- T1078
entityMappings:
- fieldMappings:
- columnName: AccountCustomEntity
identifier: Name
entityType: Account
triggerThreshold: 0
description: |
'Detects new site admin user.'
requiredDataConnectors:
- connectorId: JiraAuditAPI
dataTypes:
- JiraAudit
triggerOperator: gt
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AtlassianJiraAudit/Analytic Rules/JiraNewPrivilegedUser.yaml
id: b894593a-2b4c-4573-bc47-78715224a6f5
queryFrequency: 1h
query: |
JiraAudit
| where EventMessage =~ 'User added to group'
| where ObjectItemName =~ 'site-admins'
| extend user = todynamic(AssociatedItems)[0]['name']
| extend AccountCustomEntity = user
severity: High
status: Available
queryPeriod: 1h
name: Jira - New site admin user
tactics:
- Persistence
- PrivilegeEscalation
kind: Scheduled