Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

OracleDBAudit - New user account

Back
Idcca7b348-e904-4a7a-8f26-d22d4d477119
RulenameOracleDBAudit - New user account
DescriptionDetects when an action was made by new user.
SeverityLow
TacticsInitialAccess
Persistence
TechniquesT1078
Required data connectorsOracleDatabaseAudit
SyslogAma
KindScheduled
Query frequency3h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleDatabaseAudit/Analytic Rules/OracleDBAuditNewUserDetected.yaml
Version1.0.1
Arm templatecca7b348-e904-4a7a-8f26-d22d4d477119.json
Deploy To Azure
let lbtime_d = 14d;
let lbtime_24h = 24h;
let known_users = OracleDatabaseAuditEvent
| where TimeGenerated between (ago(lbtime_d) .. ago(lbtime_24h))
| where isnotempty(DstUserName)
| where isnotempty(Action)
| summarize makeset(DstUserName);
OracleDatabaseAuditEvent
| where isnotempty(DstUserName)
| where isnotempty(Action)
| where DstUserName !in (known_users)
| project DstUserName
| extend AccountCustomEntity = DstUserName
id: cca7b348-e904-4a7a-8f26-d22d4d477119
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleDatabaseAudit/Analytic Rules/OracleDBAuditNewUserDetected.yaml
requiredDataConnectors:
- dataTypes:
  - Syslog
  connectorId: OracleDatabaseAudit
- datatypes:
  - Syslog
  connectorId: SyslogAma
description: |
    'Detects when an action was made by new user.'
severity: Low
queryPeriod: 14d
kind: Scheduled
tactics:
- InitialAccess
- Persistence
queryFrequency: 3h
query: |
  let lbtime_d = 14d;
  let lbtime_24h = 24h;
  let known_users = OracleDatabaseAuditEvent
  | where TimeGenerated between (ago(lbtime_d) .. ago(lbtime_24h))
  | where isnotempty(DstUserName)
  | where isnotempty(Action)
  | summarize makeset(DstUserName);
  OracleDatabaseAuditEvent
  | where isnotempty(DstUserName)
  | where isnotempty(Action)
  | where DstUserName !in (known_users)
  | project DstUserName
  | extend AccountCustomEntity = DstUserName  
version: 1.0.1
triggerThreshold: 0
name: OracleDBAudit - New user account
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
status: Available
relevantTechniques:
- T1078
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cca7b348-e904-4a7a-8f26-d22d4d477119')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cca7b348-e904-4a7a-8f26-d22d4d477119')]",
      "properties": {
        "alertRuleTemplateName": "cca7b348-e904-4a7a-8f26-d22d4d477119",
        "customDetails": null,
        "description": "'Detects when an action was made by new user.'\n",
        "displayName": "OracleDBAudit - New user account",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleDatabaseAudit/Analytic Rules/OracleDBAuditNewUserDetected.yaml",
        "query": "let lbtime_d = 14d;\nlet lbtime_24h = 24h;\nlet known_users = OracleDatabaseAuditEvent\n| where TimeGenerated between (ago(lbtime_d) .. ago(lbtime_24h))\n| where isnotempty(DstUserName)\n| where isnotempty(Action)\n| summarize makeset(DstUserName);\nOracleDatabaseAuditEvent\n| where isnotempty(DstUserName)\n| where isnotempty(Action)\n| where DstUserName !in (known_users)\n| project DstUserName\n| extend AccountCustomEntity = DstUserName\n",
        "queryFrequency": "PT3H",
        "queryPeriod": "P14D",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess",
          "Persistence"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}