User assigned to a default admin role

Back


Id	c04ed74c-3b23-48cd-9c11-fd10cffddc64
Rulename	User assigned to a default admin role
Description	The policy detects users that were assigned to one of the systems default admin roles.
Severity	High
Tactics	InitialAccess
Techniques	T1078
Required data connectors	Authomize
Kind	Scheduled
Query frequency	30m
Query period	30m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/User_assigned_to_a_default_admin_role.yaml
Version	1.0.2
Arm template	c04ed74c-3b23-48cd-9c11-fd10cffddc64.json

KQL

Authomize_v2_CL
| where ingestion_time() >= ago(30m)
| extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
| where Policy has "User assigned to a default admin role"
| project  EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics

YAML

entityMappings:
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: URL
tactics:
- InitialAccess
suppressionEnabled: false
suppressionDuration: 5h
requiredDataConnectors:
- dataTypes:
  - Authomize_v2_CL
  connectorId: Authomize
alertDetailsOverride:
  alertDescriptionFormat: |
        User assigned to a default admin role. The rule detects users that were assigned to one of the systems default admin roles.
  alertSeverity: Severity
  alertnameFormat: Alert from Authomize - User assigned to a default admin role
  alertTactics: Tactics
  alertDynamicProperties:
  - value: URL
    alertProperty: AlertLink
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    groupByAlertDetails: []
    lookbackDuration: 5h
    groupByEntities: []
    groupByCustomDetails: []
    enabled: true
    matchingMethod: AnyAlert
  createIncident: true
id: c04ed74c-3b23-48cd-9c11-fd10cffddc64
severity: High
eventGroupingSettings:
  aggregationKind: SingleAlert
status: Available
customDetails:
  AuthomizeEventID: EventID
  EventName: Policy
  ReferencedURL: URL
  EventDescription: Description
  EventRecommendation: Recommendation
query: |-
  Authomize_v2_CL
  | where ingestion_time() >= ago(30m)
  | extend EventID = id_s, Policy = policy_name_s, Severity = severity_s,Description = description_s,Recommendation = recommendation_s,URL = url_s,Tactics = tactics_s
  | where Policy has "User assigned to a default admin role"
  | project  EventID, Policy, Severity, Description, Recommendation, URL, Category, Tactics  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Authomize/Analytic Rules/User_assigned_to_a_default_admin_role.yaml
kind: Scheduled
queryPeriod: 30m
version: 1.0.2
name: User assigned to a default admin role
queryFrequency: 30m
triggerThreshold: 0
relevantTechniques:
- T1078
description: The policy detects users that were assigned to one of the systems default admin roles.
triggerOperator: gt

ARM