SlackAudit - User role changed to admin or owner

Back


Id	be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e
Rulename	SlackAudit - User role changed to admin or owner
Description	This query helps to detect a change in the users role to admin or owner.
Severity	Low
Tactics	Persistence PrivilegeEscalation
Techniques	T1098 T1078
Required data connectors	SlackAuditAPI
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserChangedToAdminOrOwner.yaml
Version	1.0.0
Arm template	be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e.json

KQL

SlackAudit
| where DvcAction in~ ('role_change_to_admin', 'role_change_to_owner')
| extend AccountCustomEntity = SrcUserName

YAML

relevantTechniques:
- T1098
- T1078
name: SlackAudit - User role changed to admin or owner
requiredDataConnectors:
- dataTypes:
  - SlackAudit_CL
  connectorId: SlackAuditAPI
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
  entityType: Account
triggerThreshold: 0
id: be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e
tactics:
- Persistence
- PrivilegeEscalation
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserChangedToAdminOrOwner.yaml
queryPeriod: 1h
kind: Scheduled
queryFrequency: 1h
severity: Low
status: Available
description: |
    'This query helps to detect a change in the users role to admin or owner.'
query: |
  SlackAudit
  | where DvcAction in~ ('role_change_to_admin', 'role_change_to_owner')
  | extend AccountCustomEntity = SrcUserName  
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e')]",
      "properties": {
        "alertRuleTemplateName": "be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e",
        "customDetails": null,
        "description": "'This query helps to detect a change in the users role to admin or owner.'\n",
        "displayName": "SlackAudit - User role changed to admin or owner",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserChangedToAdminOrOwner.yaml",
        "query": "SlackAudit\n| where DvcAction in~ ('role_change_to_admin', 'role_change_to_owner')\n| extend AccountCustomEntity = SrcUserName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078",
          "T1098"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}