Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. SlackAudit - User login after deactivated

SlackAudit - User login after deactivated

Back
Ide6e99dcb-4dff-48d2-8012-206ca166b36b
RulenameSlackAudit - User login after deactivated.
DescriptionDetects when user email linked to account changes.
SeverityMedium
TacticsInitialAccess
Persistence
PrivilegeEscalation
TechniquesT1078
Required data connectorsSlackAuditAPI
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserLoginAfterDeactivated.yaml
Version1.0.0
Arm templatee6e99dcb-4dff-48d2-8012-206ca166b36b.json
Deploy To Azure
let lbperiod_max_d = 14d;
let lbperiod_min_d = 1d;
let lb_time_max_h = 24h;
SlackAudit
| where TimeGenerated between (ago(lbperiod_max_d) .. (lbperiod_min_d))
| where Action =~ 'user_deactivated'
| summarize deactivation_time = max(TimeGenerated) by EntityUserEmail, EntityUserId
| project deactivation_time, EntityUserEmail, EntityUserId
| join (SlackAudit
      | where TimeGenerated > ago(lb_time_max_h)
      | where Action =~ 'user_login'
      | summarize new_login_time = max(TimeGenerated) by SrcUserEmail, SrcUserIdentity
      | project new_login_time, SrcUserEmail, EntityUserId = SrcUserIdentity) on EntityUserId
| where EntityUserEmail == SrcUserEmail
| where deactivation_time < new_login_time
| extend AccountCustomEntity = SrcUserEmail

query: |
  let lbperiod_max_d = 14d;
  let lbperiod_min_d = 1d;
  let lb_time_max_h = 24h;
  SlackAudit
  | where TimeGenerated between (ago(lbperiod_max_d) .. (lbperiod_min_d))
  | where Action =~ 'user_deactivated'
  | summarize deactivation_time = max(TimeGenerated) by EntityUserEmail, EntityUserId
  | project deactivation_time, EntityUserEmail, EntityUserId
  | join (SlackAudit
        | where TimeGenerated > ago(lb_time_max_h)
        | where Action =~ 'user_login'
        | summarize new_login_time = max(TimeGenerated) by SrcUserEmail, SrcUserIdentity
        | project new_login_time, SrcUserEmail, EntityUserId = SrcUserIdentity) on EntityUserId
  | where EntityUserEmail == SrcUserEmail
  | where deactivation_time < new_login_time
  | extend AccountCustomEntity = SrcUserEmail  
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
triggerThreshold: 0
name: SlackAudit - User login after deactivated.
severity: Medium
relevantTechniques:
- T1078
queryPeriod: 14d
tactics:
- InitialAccess
- Persistence
- PrivilegeEscalation
requiredDataConnectors:
- connectorId: SlackAuditAPI
  dataTypes:
  - SlackAudit_CL
queryFrequency: 1h
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserLoginAfterDeactivated.yaml
id: e6e99dcb-4dff-48d2-8012-206ca166b36b
kind: Scheduled
description: |
    'Detects when user email linked to account changes.'
status: Available
triggerOperator: gt