Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Jira - New site admin user

Jira - New site admin user

Back
Idb894593a-2b4c-4573-bc47-78715224a6f5
RulenameJira - New site admin user
DescriptionDetects new site admin user.
SeverityHigh
TacticsPersistence
PrivilegeEscalation
TechniquesT1078
Required data connectorsJiraAuditAPI
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AtlassianJiraAudit/Analytic Rules/JiraNewPrivilegedUser.yaml
Version1.0.1
Arm templateb894593a-2b4c-4573-bc47-78715224a6f5.json
Deploy To Azure
JiraAudit
| where EventMessage =~ 'User added to group'
| where ObjectItemName =~ 'site-admins'
| extend user = todynamic(AssociatedItems)[0]['name']
| extend AccountCustomEntity = user

tactics:
- Persistence
- PrivilegeEscalation
relevantTechniques:
- T1078
version: 1.0.1
triggerOperator: gt
name: Jira - New site admin user
id: b894593a-2b4c-4573-bc47-78715224a6f5
description: |
    'Detects new site admin user.'
queryFrequency: 1h
severity: High
status: Available
query: |
  JiraAudit
  | where EventMessage =~ 'User added to group'
  | where ObjectItemName =~ 'site-admins'
  | extend user = todynamic(AssociatedItems)[0]['name']
  | extend AccountCustomEntity = user  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AtlassianJiraAudit/Analytic Rules/JiraNewPrivilegedUser.yaml
queryPeriod: 1h
triggerThreshold: 0
kind: Scheduled
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
requiredDataConnectors:
- dataTypes:
  - JiraAudit
  connectorId: JiraAuditAPI