Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

OracleDBAudit - New user account

Back
Idcca7b348-e904-4a7a-8f26-d22d4d477119
RulenameOracleDBAudit - New user account
DescriptionDetects when an action was made by new user.
SeverityLow
TacticsInitialAccess
Persistence
TechniquesT1078
Required data connectorsOracleDatabaseAudit
SyslogAma
KindScheduled
Query frequency3h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleDatabaseAudit/Analytic Rules/OracleDBAuditNewUserDetected.yaml
Version1.0.1
Arm templatecca7b348-e904-4a7a-8f26-d22d4d477119.json
Deploy To Azure
let lbtime_d = 14d;
let lbtime_24h = 24h;
let known_users = OracleDatabaseAuditEvent
| where TimeGenerated between (ago(lbtime_d) .. ago(lbtime_24h))
| where isnotempty(DstUserName)
| where isnotempty(Action)
| summarize makeset(DstUserName);
OracleDatabaseAuditEvent
| where isnotempty(DstUserName)
| where isnotempty(Action)
| where DstUserName !in (known_users)
| project DstUserName
| extend AccountCustomEntity = DstUserName
requiredDataConnectors:
- connectorId: OracleDatabaseAudit
  dataTypes:
  - Syslog
- connectorId: SyslogAma
  datatypes:
  - Syslog
status: Available
relevantTechniques:
- T1078
queryFrequency: 3h
id: cca7b348-e904-4a7a-8f26-d22d4d477119
name: OracleDBAudit - New user account
severity: Low
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleDatabaseAudit/Analytic Rules/OracleDBAuditNewUserDetected.yaml
queryPeriod: 14d
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
  entityType: Account
description: |
    'Detects when an action was made by new user.'
triggerThreshold: 0
tactics:
- InitialAccess
- Persistence
query: |
  let lbtime_d = 14d;
  let lbtime_24h = 24h;
  let known_users = OracleDatabaseAuditEvent
  | where TimeGenerated between (ago(lbtime_d) .. ago(lbtime_24h))
  | where isnotempty(DstUserName)
  | where isnotempty(Action)
  | summarize makeset(DstUserName);
  OracleDatabaseAuditEvent
  | where isnotempty(DstUserName)
  | where isnotempty(Action)
  | where DstUserName !in (known_users)
  | project DstUserName
  | extend AccountCustomEntity = DstUserName  
kind: Scheduled
triggerOperator: gt
version: 1.0.1
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cca7b348-e904-4a7a-8f26-d22d4d477119')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cca7b348-e904-4a7a-8f26-d22d4d477119')]",
      "properties": {
        "alertRuleTemplateName": "cca7b348-e904-4a7a-8f26-d22d4d477119",
        "customDetails": null,
        "description": "'Detects when an action was made by new user.'\n",
        "displayName": "OracleDBAudit - New user account",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleDatabaseAudit/Analytic Rules/OracleDBAuditNewUserDetected.yaml",
        "query": "let lbtime_d = 14d;\nlet lbtime_24h = 24h;\nlet known_users = OracleDatabaseAuditEvent\n| where TimeGenerated between (ago(lbtime_d) .. ago(lbtime_24h))\n| where isnotempty(DstUserName)\n| where isnotempty(Action)\n| summarize makeset(DstUserName);\nOracleDatabaseAuditEvent\n| where isnotempty(DstUserName)\n| where isnotempty(Action)\n| where DstUserName !in (known_users)\n| project DstUserName\n| extend AccountCustomEntity = DstUserName\n",
        "queryFrequency": "PT3H",
        "queryPeriod": "P14D",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess",
          "Persistence"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}