SlackAudit - User login after deactivated
| Id | e6e99dcb-4dff-48d2-8012-206ca166b36b |
| Rulename | SlackAudit - User login after deactivated. |
| Description | Detects when user email linked to account changes. |
| Severity | Medium |
| Tactics | InitialAccess Persistence PrivilegeEscalation |
| Techniques | T1078 |
| Required data connectors | SlackAuditAPI |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 14d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserLoginAfterDeactivated.yaml |
| Version | 1.0.0 |
| Arm template | e6e99dcb-4dff-48d2-8012-206ca166b36b.json |
let lbperiod_max_d = 14d;
let lbperiod_min_d = 1d;
let lb_time_max_h = 24h;
SlackAudit
| where TimeGenerated between (ago(lbperiod_max_d) .. (lbperiod_min_d))
| where Action =~ 'user_deactivated'
| summarize deactivation_time = max(TimeGenerated) by EntityUserEmail, EntityUserId
| project deactivation_time, EntityUserEmail, EntityUserId
| join (SlackAudit
| where TimeGenerated > ago(lb_time_max_h)
| where Action =~ 'user_login'
| summarize new_login_time = max(TimeGenerated) by SrcUserEmail, SrcUserIdentity
| project new_login_time, SrcUserEmail, EntityUserId = SrcUserIdentity) on EntityUserId
| where EntityUserEmail == SrcUserEmail
| where deactivation_time < new_login_time
| extend AccountCustomEntity = SrcUserEmail
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
kind: Scheduled
name: SlackAudit - User login after deactivated.
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserLoginAfterDeactivated.yaml
tactics:
- InitialAccess
- Persistence
- PrivilegeEscalation
triggerThreshold: 0
version: 1.0.0
requiredDataConnectors:
- connectorId: SlackAuditAPI
dataTypes:
- SlackAudit_CL
status: Available
description: |
'Detects when user email linked to account changes.'
queryPeriod: 14d
severity: Medium
queryFrequency: 1h
relevantTechniques:
- T1078
id: e6e99dcb-4dff-48d2-8012-206ca166b36b
triggerOperator: gt
query: |
let lbperiod_max_d = 14d;
let lbperiod_min_d = 1d;
let lb_time_max_h = 24h;
SlackAudit
| where TimeGenerated between (ago(lbperiod_max_d) .. (lbperiod_min_d))
| where Action =~ 'user_deactivated'
| summarize deactivation_time = max(TimeGenerated) by EntityUserEmail, EntityUserId
| project deactivation_time, EntityUserEmail, EntityUserId
| join (SlackAudit
| where TimeGenerated > ago(lb_time_max_h)
| where Action =~ 'user_login'
| summarize new_login_time = max(TimeGenerated) by SrcUserEmail, SrcUserIdentity
| project new_login_time, SrcUserEmail, EntityUserId = SrcUserIdentity) on EntityUserId
| where EntityUserEmail == SrcUserEmail
| where deactivation_time < new_login_time
| extend AccountCustomEntity = SrcUserEmail
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e6e99dcb-4dff-48d2-8012-206ca166b36b')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e6e99dcb-4dff-48d2-8012-206ca166b36b')]",
"properties": {
"alertRuleTemplateName": "e6e99dcb-4dff-48d2-8012-206ca166b36b",
"customDetails": null,
"description": "'Detects when user email linked to account changes.'\n",
"displayName": "SlackAudit - User login after deactivated.",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountCustomEntity",
"identifier": "FullName"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserLoginAfterDeactivated.yaml",
"query": "let lbperiod_max_d = 14d;\nlet lbperiod_min_d = 1d;\nlet lb_time_max_h = 24h;\nSlackAudit\n| where TimeGenerated between (ago(lbperiod_max_d) .. (lbperiod_min_d))\n| where Action =~ 'user_deactivated'\n| summarize deactivation_time = max(TimeGenerated) by EntityUserEmail, EntityUserId\n| project deactivation_time, EntityUserEmail, EntityUserId\n| join (SlackAudit\n | where TimeGenerated > ago(lb_time_max_h)\n | where Action =~ 'user_login'\n | summarize new_login_time = max(TimeGenerated) by SrcUserEmail, SrcUserIdentity\n | project new_login_time, SrcUserEmail, EntityUserId = SrcUserIdentity) on EntityUserId\n| where EntityUserEmail == SrcUserEmail\n| where deactivation_time < new_login_time\n| extend AccountCustomEntity = SrcUserEmail\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess",
"Persistence",
"PrivilegeEscalation"
],
"techniques": [
"T1078"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}