SlackAudit - User role changed to admin or owner
| Id | be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e |
| Rulename | SlackAudit - User role changed to admin or owner |
| Description | This query helps to detect a change in the users role to admin or owner. |
| Severity | Low |
| Tactics | Persistence PrivilegeEscalation |
| Techniques | T1098 T1078 |
| Required data connectors | SlackAuditAPI |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserChangedToAdminOrOwner.yaml |
| Version | 1.0.0 |
| Arm template | be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e.json |
SlackAudit
| where DvcAction in~ ('role_change_to_admin', 'role_change_to_owner')
| extend AccountCustomEntity = SrcUserName
description: |
'This query helps to detect a change in the users role to admin or owner.'
kind: Scheduled
tactics:
- Persistence
- PrivilegeEscalation
requiredDataConnectors:
- connectorId: SlackAuditAPI
dataTypes:
- SlackAudit_CL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserChangedToAdminOrOwner.yaml
severity: Low
name: SlackAudit - User role changed to admin or owner
triggerThreshold: 0
queryPeriod: 1h
query: |
SlackAudit
| where DvcAction in~ ('role_change_to_admin', 'role_change_to_owner')
| extend AccountCustomEntity = SrcUserName
relevantTechniques:
- T1098
- T1078
id: be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e
queryFrequency: 1h
status: Available
triggerOperator: gt
version: 1.0.0
entityMappings:
- entityType: Account
fieldMappings:
- columnName: AccountCustomEntity
identifier: FullName