Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. OracleDBAudit - New user account

OracleDBAudit - New user account

Back
Idcca7b348-e904-4a7a-8f26-d22d4d477119
RulenameOracleDBAudit - New user account
DescriptionDetects when an action was made by new user.
SeverityLow
TacticsInitialAccess
Persistence
TechniquesT1078
Required data connectorsSyslogAma
KindScheduled
Query frequency3h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleDatabaseAudit/Analytic Rules/OracleDBAuditNewUserDetected.yaml
Version1.0.2
Arm templatecca7b348-e904-4a7a-8f26-d22d4d477119.json
Deploy To Azure
let lbtime_d = 14d;
let lbtime_24h = 24h;
let known_users = OracleDatabaseAuditEvent
| where TimeGenerated between (ago(lbtime_d) .. ago(lbtime_24h))
| where isnotempty(DstUserName)
| where isnotempty(Action)
| summarize makeset(DstUserName);
OracleDatabaseAuditEvent
| where isnotempty(DstUserName)
| where isnotempty(Action)
| where DstUserName !in (known_users)
| project DstUserName
| extend AccountCustomEntity = DstUserName

name: OracleDBAudit - New user account
query: |
  let lbtime_d = 14d;
  let lbtime_24h = 24h;
  let known_users = OracleDatabaseAuditEvent
  | where TimeGenerated between (ago(lbtime_d) .. ago(lbtime_24h))
  | where isnotempty(DstUserName)
  | where isnotempty(Action)
  | summarize makeset(DstUserName);
  OracleDatabaseAuditEvent
  | where isnotempty(DstUserName)
  | where isnotempty(Action)
  | where DstUserName !in (known_users)
  | project DstUserName
  | extend AccountCustomEntity = DstUserName  
queryFrequency: 3h
triggerOperator: gt
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
status: Available
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleDatabaseAudit/Analytic Rules/OracleDBAuditNewUserDetected.yaml
description: |
    'Detects when an action was made by new user.'
version: 1.0.2
id: cca7b348-e904-4a7a-8f26-d22d4d477119
kind: Scheduled
relevantTechniques:
- T1078
severity: Low
tactics:
- InitialAccess
- Persistence
queryPeriod: 14d