SlackAudit - User role changed to admin or owner

Back


Id	be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e
Rulename	SlackAudit - User role changed to admin or owner
Description	This query helps to detect a change in the users role to admin or owner.
Severity	Low
Tactics	Persistence PrivilegeEscalation
Techniques	T1098 T1078
Required data connectors	SlackAuditAPI
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserChangedToAdminOrOwner.yaml
Version	1.0.0
Arm template	be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e.json

KQL

SlackAudit
| where DvcAction in~ ('role_change_to_admin', 'role_change_to_owner')
| extend AccountCustomEntity = SrcUserName

YAML

requiredDataConnectors:
- connectorId: SlackAuditAPI
  dataTypes:
  - SlackAudit_CL
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserChangedToAdminOrOwner.yaml
version: 1.0.0
status: Available
queryPeriod: 1h
severity: Low
relevantTechniques:
- T1098
- T1078
tactics:
- Persistence
- PrivilegeEscalation
kind: Scheduled
queryFrequency: 1h
description: |
    'This query helps to detect a change in the users role to admin or owner.'
query: |
  SlackAudit
  | where DvcAction in~ ('role_change_to_admin', 'role_change_to_owner')
  | extend AccountCustomEntity = SrcUserName  
id: be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
  entityType: Account
name: SlackAudit - User role changed to admin or owner

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e')]",
      "properties": {
        "alertRuleTemplateName": "be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e",
        "customDetails": null,
        "description": "'This query helps to detect a change in the users role to admin or owner.'\n",
        "displayName": "SlackAudit - User role changed to admin or owner",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserChangedToAdminOrOwner.yaml",
        "query": "SlackAudit\n| where DvcAction in~ ('role_change_to_admin', 'role_change_to_owner')\n| extend AccountCustomEntity = SrcUserName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Low",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078",
          "T1098"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}