User assigned to a default admin role

Back


Id	c04ed74c-3b23-48cd-9c11-fd10cffddc64
Rulename	User assigned to a default admin role
Description	The policy detects users that were assigned to one of the systems default admin roles.
Severity	High
Tactics	InitialAccess
Techniques	T1078
Required data connectors	Authomize
Kind	Scheduled
Query frequency	30m
Query period	30m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/User_assigned_to_a_default_admin_role.yaml
Version	1.0.2
Arm template	c04ed74c-3b23-48cd-9c11-fd10cffddc64.json

KQL

Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "User assigned to a default admin role"
| project  EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics

YAML

incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    groupByCustomDetails: []
    matchingMethod: AnyAlert
    groupByAlertDetails: []
    groupByEntities: []
    lookbackDuration: 5h
    enabled: true
    reopenClosedIncident: false
requiredDataConnectors:
- dataTypes:
  - Authomize_v2_CL
  connectorId: Authomize
relevantTechniques:
- T1078
triggerOperator: gt
customDetails:
  EventRecommendation: Recommendation
  EventName: Policy
  ReferencedURL: URL
  AuthomizeEventID: EventID
  EventDescription: Description
queryFrequency: 30m
severity: High
description: The policy detects users that were assigned to one of the systems default admin roles.
triggerThreshold: 0
suppressionDuration: 5h
entityMappings:
- fieldMappings:
  - columnName: URL
    identifier: Url
  entityType: URL
alertDetailsOverride:
  alertDescriptionFormat: |
        User assigned to a default admin role. The rule detects users that were assigned to one of the systems default admin roles.
  alertSeverity: Severity
  alertDynamicProperties:
  - alertProperty: AlertLink
    value: URL
  alertTactics: Tactics
  alertnameFormat: Alert from Authomize - User assigned to a default admin role
name: User assigned to a default admin role
query: |-
  Authomize_v2_CL
  | where ingestion_time() >= ago(30m)
  | extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
  | where Policy has "User assigned to a default admin role"
  | project  EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics  
version: 1.0.2
suppressionEnabled: false
tactics:
- InitialAccess
queryPeriod: 30m
kind: Scheduled
id: c04ed74c-3b23-48cd-9c11-fd10cffddc64
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/User_assigned_to_a_default_admin_role.yaml
eventGroupingSettings:
  aggregationKind: SingleAlert
status: Available

ARM