SlackAudit - User role changed to admin or owner

Back


Id	be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e
Rulename	SlackAudit - User role changed to admin or owner
Description	This query helps to detect a change in the users role to admin or owner.
Severity	Low
Tactics	Persistence PrivilegeEscalation
Techniques	T1098 T1078
Required data connectors	SlackAuditAPI
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserChangedToAdminOrOwner.yaml
Version	1.0.0
Arm template	be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e.json

KQL

SlackAudit
| where DvcAction in~ ('role_change_to_admin', 'role_change_to_owner')
| extend AccountCustomEntity = SrcUserName

YAML

severity: Low
triggerThreshold: 0
query: |
  SlackAudit
  | where DvcAction in~ ('role_change_to_admin', 'role_change_to_owner')
  | extend AccountCustomEntity = SrcUserName  
queryFrequency: 1h
requiredDataConnectors:
- connectorId: SlackAuditAPI
  dataTypes:
  - SlackAudit_CL
id: be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e
version: 1.0.0
name: SlackAudit - User role changed to admin or owner
kind: Scheduled
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserChangedToAdminOrOwner.yaml
queryPeriod: 1h
relevantTechniques:
- T1098
- T1078
triggerOperator: gt
tactics:
- Persistence
- PrivilegeEscalation
description: |
    'This query helps to detect a change in the users role to admin or owner.'
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "SlackAudit - User role changed to admin or owner",
        "description": "'This query helps to detect a change in the users role to admin or owner.'\n",
        "severity": "Low",
        "enabled": true,
        "query": "SlackAudit\n| where DvcAction in~ ('role_change_to_admin', 'role_change_to_owner')\n| extend AccountCustomEntity = SrcUserName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1098",
          "T1078"
        ],
        "alertRuleTemplateName": "be6c5fc9-2ac3-43e6-8fb0-cb139e04e43e",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ],
            "entityType": "Account"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserChangedToAdminOrOwner.yaml",
        "templateVersion": "1.0.0",
        "status": "Available"
      }
    }
  ]
}