User assigned to a default admin role

Back


Id	c04ed74c-3b23-48cd-9c11-fd10cffddc64
Rulename	User assigned to a default admin role
Description	The policy detects users that were assigned to one of the systems default admin roles.
Severity	High
Tactics	InitialAccess
Techniques	T1078
Required data connectors	Authomize
Kind	Scheduled
Query frequency	30m
Query period	30m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/User_assigned_to_a_default_admin_role.yaml
Version	1.0.2
Arm template	c04ed74c-3b23-48cd-9c11-fd10cffddc64.json

KQL

Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "User assigned to a default admin role"
| project  EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics

YAML

eventGroupingSettings:
  aggregationKind: SingleAlert
triggerThreshold: 0
entityMappings:
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: URL
requiredDataConnectors:
- dataTypes:
  - Authomize_v2_CL
  connectorId: Authomize
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/User_assigned_to_a_default_admin_role.yaml
customDetails:
  EventName: Policy
  EventRecommendation: Recommendation
  ReferencedURL: URL
  EventDescription: Description
  AuthomizeEventID: EventID
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 5h
    reopenClosedIncident: false
    groupByCustomDetails: []
    enabled: true
    groupByAlertDetails: []
    groupByEntities: []
    matchingMethod: AnyAlert
version: 1.0.2
name: User assigned to a default admin role
alertDetailsOverride:
  alertDynamicProperties:
  - value: URL
    alertProperty: AlertLink
  alertnameFormat: Alert from Authomize - User assigned to a default admin role
  alertSeverity: Severity
  alertDescriptionFormat: |
        User assigned to a default admin role. The rule detects users that were assigned to one of the systems default admin roles.
  alertTactics: Tactics
relevantTechniques:
- T1078
status: Available
suppressionEnabled: false
queryPeriod: 30m
kind: Scheduled
id: c04ed74c-3b23-48cd-9c11-fd10cffddc64
query: |-
  Authomize_v2_CL
  | where ingestion_time() >= ago(30m)
  | extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
  | where Policy has "User assigned to a default admin role"
  | project  EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics  
description: The policy detects users that were assigned to one of the systems default admin roles.
queryFrequency: 30m
severity: High
triggerOperator: gt
tactics:
- InitialAccess
suppressionDuration: 5h

ARM