Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. SlackAudit - User login after deactivated

SlackAudit - User login after deactivated

Back
Ide6e99dcb-4dff-48d2-8012-206ca166b36b
RulenameSlackAudit - User login after deactivated.
DescriptionDetects when user email linked to account changes.
SeverityMedium
TacticsInitialAccess
Persistence
PrivilegeEscalation
TechniquesT1078
Required data connectorsSlackAuditAPI
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserLoginAfterDeactivated.yaml
Version1.0.0
Arm templatee6e99dcb-4dff-48d2-8012-206ca166b36b.json
Deploy To Azure
let lbperiod_max_d = 14d;
let lbperiod_min_d = 1d;
let lb_time_max_h = 24h;
SlackAudit
| where TimeGenerated between (ago(lbperiod_max_d) .. (lbperiod_min_d))
| where Action =~ 'user_deactivated'
| summarize deactivation_time = max(TimeGenerated) by EntityUserEmail, EntityUserId
| project deactivation_time, EntityUserEmail, EntityUserId
| join (SlackAudit
      | where TimeGenerated > ago(lb_time_max_h)
      | where Action =~ 'user_login'
      | summarize new_login_time = max(TimeGenerated) by SrcUserEmail, SrcUserIdentity
      | project new_login_time, SrcUserEmail, EntityUserId = SrcUserIdentity) on EntityUserId
| where EntityUserEmail == SrcUserEmail
| where deactivation_time < new_login_time
| extend AccountCustomEntity = SrcUserEmail

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserLoginAfterDeactivated.yaml
queryPeriod: 14d
kind: Scheduled
name: SlackAudit - User login after deactivated.
status: Available
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
  entityType: Account
tactics:
- InitialAccess
- Persistence
- PrivilegeEscalation
description: |
    'Detects when user email linked to account changes.'
severity: Medium
requiredDataConnectors:
- connectorId: SlackAuditAPI
  dataTypes:
  - SlackAudit_CL
queryFrequency: 1h
triggerThreshold: 0
version: 1.0.0
query: |
  let lbperiod_max_d = 14d;
  let lbperiod_min_d = 1d;
  let lb_time_max_h = 24h;
  SlackAudit
  | where TimeGenerated between (ago(lbperiod_max_d) .. (lbperiod_min_d))
  | where Action =~ 'user_deactivated'
  | summarize deactivation_time = max(TimeGenerated) by EntityUserEmail, EntityUserId
  | project deactivation_time, EntityUserEmail, EntityUserId
  | join (SlackAudit
        | where TimeGenerated > ago(lb_time_max_h)
        | where Action =~ 'user_login'
        | summarize new_login_time = max(TimeGenerated) by SrcUserEmail, SrcUserIdentity
        | project new_login_time, SrcUserEmail, EntityUserId = SrcUserIdentity) on EntityUserId
  | where EntityUserEmail == SrcUserEmail
  | where deactivation_time < new_login_time
  | extend AccountCustomEntity = SrcUserEmail  
relevantTechniques:
- T1078
id: e6e99dcb-4dff-48d2-8012-206ca166b36b
triggerOperator: gt