Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. OracleDBAudit - New user account

OracleDBAudit - New user account

Back
Idcca7b348-e904-4a7a-8f26-d22d4d477119
RulenameOracleDBAudit - New user account
DescriptionDetects when an action was made by new user.
SeverityLow
TacticsInitialAccess
Persistence
TechniquesT1078
Required data connectorsSyslogAma
KindScheduled
Query frequency3h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleDatabaseAudit/Analytic Rules/OracleDBAuditNewUserDetected.yaml
Version1.0.2
Arm templatecca7b348-e904-4a7a-8f26-d22d4d477119.json
Deploy To Azure
let lbtime_d = 14d;
let lbtime_24h = 24h;
let known_users = OracleDatabaseAuditEvent
| where TimeGenerated between (ago(lbtime_d) .. ago(lbtime_24h))
| where isnotempty(DstUserName)
| where isnotempty(Action)
| summarize makeset(DstUserName);
OracleDatabaseAuditEvent
| where isnotempty(DstUserName)
| where isnotempty(Action)
| where DstUserName !in (known_users)
| project DstUserName
| extend AccountCustomEntity = DstUserName

queryPeriod: 14d
query: |
  let lbtime_d = 14d;
  let lbtime_24h = 24h;
  let known_users = OracleDatabaseAuditEvent
  | where TimeGenerated between (ago(lbtime_d) .. ago(lbtime_24h))
  | where isnotempty(DstUserName)
  | where isnotempty(Action)
  | summarize makeset(DstUserName);
  OracleDatabaseAuditEvent
  | where isnotempty(DstUserName)
  | where isnotempty(Action)
  | where DstUserName !in (known_users)
  | project DstUserName
  | extend AccountCustomEntity = DstUserName  
name: OracleDBAudit - New user account
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
  entityType: Account
queryFrequency: 3h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleDatabaseAudit/Analytic Rules/OracleDBAuditNewUserDetected.yaml
requiredDataConnectors:
- connectorId: SyslogAma
  datatypes:
  - Syslog
description: |
    'Detects when an action was made by new user.'
kind: Scheduled
version: 1.0.2
status: Available
severity: Low
relevantTechniques:
- T1078
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
- Persistence
id: cca7b348-e904-4a7a-8f26-d22d4d477119