User assigned to a default admin role

Back


Id	c04ed74c-3b23-48cd-9c11-fd10cffddc64
Rulename	User assigned to a default admin role
Description	The policy detects users that were assigned to one of the systems default admin roles.
Severity	High
Tactics	InitialAccess
Techniques	T1078
Required data connectors	Authomize
Kind	Scheduled
Query frequency	30m
Query period	30m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/User_assigned_to_a_default_admin_role.yaml
Version	1.0.2
Arm template	c04ed74c-3b23-48cd-9c11-fd10cffddc64.json

KQL

Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "User assigned to a default admin role"
| project  EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics

YAML

requiredDataConnectors:
- connectorId: Authomize
  dataTypes:
  - Authomize_v2_CL
status: Available
queryFrequency: 30m
id: c04ed74c-3b23-48cd-9c11-fd10cffddc64
tactics:
- InitialAccess
suppressionDuration: 5h
entityMappings:
- fieldMappings:
  - columnName: URL
    identifier: Url
  entityType: URL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/User_assigned_to_a_default_admin_role.yaml
alertDetailsOverride:
  alertDynamicProperties:
  - value: URL
    alertProperty: AlertLink
  alertSeverity: Severity
  alertDescriptionFormat: |
        User assigned to a default admin role. The rule detects users that were assigned to one of the systems default admin roles.
  alertTactics: Tactics
  alertnameFormat: Alert from Authomize - User assigned to a default admin role
eventGroupingSettings:
  aggregationKind: SingleAlert
query: |-
  Authomize_v2_CL
  | where ingestion_time() >= ago(30m)
  | extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
  | where Policy has "User assigned to a default admin role"
  | project  EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics  
kind: Scheduled
suppressionEnabled: false
relevantTechniques:
- T1078
name: User assigned to a default admin role
customDetails:
  ReferencedURL: URL
  AuthomizeEventID: EventID
  EventName: Policy
  EventRecommendation: Recommendation
  EventDescription: Description
triggerThreshold: 0
queryPeriod: 30m
triggerOperator: gt
description: The policy detects users that were assigned to one of the systems default admin roles.
incidentConfiguration:
  groupingConfiguration:
    enabled: true
    matchingMethod: AnyAlert
    reopenClosedIncident: false
    lookbackDuration: 5h
    groupByEntities: []
    groupByCustomDetails: []
    groupByAlertDetails: []
  createIncident: true
severity: High
version: 1.0.2

ARM