SlackAudit - User role changed to admin or owner

Back


Id	be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e
Rulename	SlackAudit - User role changed to admin or owner
Description	This query helps to detect a change in the users role to admin or owner.
Severity	Low
Tactics	Persistence PrivilegeEscalation
Techniques	T1098 T1078
Required data connectors	SlackAuditAPI
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserChangedToAdminOrOwner.yaml
Version	1.0.0
Arm template	be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e.json

KQL

SlackAudit
| where DvcAction in~ ('role_change_to_admin', 'role_change_to_owner')
| extend AccountCustomEntity = SrcUserName

YAML

kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserChangedToAdminOrOwner.yaml
severity: Low
name: SlackAudit - User role changed to admin or owner
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
relevantTechniques:
- T1098
- T1078
queryFrequency: 1h
triggerThreshold: 0
queryPeriod: 1h
description: |
    'This query helps to detect a change in the users role to admin or owner.'
id: be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e
version: 1.0.0
tactics:
- Persistence
- PrivilegeEscalation
query: |
  SlackAudit
  | where DvcAction in~ ('role_change_to_admin', 'role_change_to_owner')
  | extend AccountCustomEntity = SrcUserName  
status: Available
requiredDataConnectors:
- dataTypes:
  - SlackAudit_CL
  connectorId: SlackAuditAPI
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "SlackAudit - User role changed to admin or owner",
        "description": "'This query helps to detect a change in the users role to admin or owner.'\n",
        "severity": "Low",
        "enabled": true,
        "query": "SlackAudit\n| where DvcAction in~ ('role_change_to_admin', 'role_change_to_owner')\n| extend AccountCustomEntity = SrcUserName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1098",
          "T1078"
        ],
        "alertRuleTemplateName": "be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserChangedToAdminOrOwner.yaml",
        "status": "Available",
        "templateVersion": "1.0.0"
      }
    }
  ]
}