SlackAudit - User login after deactivated

Back


Id	e6e99dcb-4dff-48d2-8012-206ca166b36b
Rulename	SlackAudit - User login after deactivated.
Description	Detects when user email linked to account changes.
Severity	Medium
Tactics	InitialAccess Persistence PrivilegeEscalation
Techniques	T1078
Required data connectors	SlackAuditAPI
Kind	Scheduled
Query frequency	1h
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserLoginAfterDeactivated.yaml
Version	1.0.0
Arm template	e6e99dcb-4dff-48d2-8012-206ca166b36b.json

KQL

let lbperiod_max_d = 14d;
let lbperiod_min_d = 1d;
let lb_time_max_h = 24h;
SlackAudit
| where TimeGenerated between (ago(lbperiod_max_d) .. (lbperiod_min_d))
| where Action =~ 'user_deactivated'
| summarize deactivation_time = max(TimeGenerated) by EntityUserEmail, EntityUserId
| project deactivation_time, EntityUserEmail, EntityUserId
| join (SlackAudit
      | where TimeGenerated > ago(lb_time_max_h)
      | where Action =~ 'user_login'
      | summarize new_login_time = max(TimeGenerated) by SrcUserEmail, SrcUserIdentity
      | project new_login_time, SrcUserEmail, EntityUserId = SrcUserIdentity) on EntityUserId
| where EntityUserEmail == SrcUserEmail
| where deactivation_time < new_login_time
| extend AccountCustomEntity = SrcUserEmail

YAML

description: |
    'Detects when user email linked to account changes.'
status: Available
queryPeriod: 14d
severity: Medium
triggerOperator: gt
kind: Scheduled
triggerThreshold: 0
relevantTechniques:
- T1078
version: 1.0.0
name: SlackAudit - User login after deactivated.
queryFrequency: 1h
id: e6e99dcb-4dff-48d2-8012-206ca166b36b
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserLoginAfterDeactivated.yaml
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
  entityType: Account
tactics:
- InitialAccess
- Persistence
- PrivilegeEscalation
requiredDataConnectors:
- dataTypes:
  - SlackAudit_CL
  connectorId: SlackAuditAPI
query: |
  let lbperiod_max_d = 14d;
  let lbperiod_min_d = 1d;
  let lb_time_max_h = 24h;
  SlackAudit
  | where TimeGenerated between (ago(lbperiod_max_d) .. (lbperiod_min_d))
  | where Action =~ 'user_deactivated'
  | summarize deactivation_time = max(TimeGenerated) by EntityUserEmail, EntityUserId
  | project deactivation_time, EntityUserEmail, EntityUserId
  | join (SlackAudit
        | where TimeGenerated > ago(lb_time_max_h)
        | where Action =~ 'user_login'
        | summarize new_login_time = max(TimeGenerated) by SrcUserEmail, SrcUserIdentity
        | project new_login_time, SrcUserEmail, EntityUserId = SrcUserIdentity) on EntityUserId
  | where EntityUserEmail == SrcUserEmail
  | where deactivation_time < new_login_time
  | extend AccountCustomEntity = SrcUserEmail

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e6e99dcb-4dff-48d2-8012-206ca166b36b')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e6e99dcb-4dff-48d2-8012-206ca166b36b')]",
      "properties": {
        "alertRuleTemplateName": "e6e99dcb-4dff-48d2-8012-206ca166b36b",
        "customDetails": null,
        "description": "'Detects when user email linked to account changes.'\n",
        "displayName": "SlackAudit - User login after deactivated.",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditUserLoginAfterDeactivated.yaml",
        "query": "let lbperiod_max_d = 14d;\nlet lbperiod_min_d = 1d;\nlet lb_time_max_h = 24h;\nSlackAudit\n| where TimeGenerated between (ago(lbperiod_max_d) .. (lbperiod_min_d))\n| where Action =~ 'user_deactivated'\n| summarize deactivation_time = max(TimeGenerated) by EntityUserEmail, EntityUserId\n| project deactivation_time, EntityUserEmail, EntityUserId\n| join (SlackAudit\n      | where TimeGenerated > ago(lb_time_max_h)\n      | where Action =~ 'user_login'\n      | summarize new_login_time = max(TimeGenerated) by SrcUserEmail, SrcUserIdentity\n      | project new_login_time, SrcUserEmail, EntityUserId = SrcUserIdentity) on EntityUserId\n| where EntityUserEmail == SrcUserEmail\n| where deactivation_time < new_login_time\n| extend AccountCustomEntity = SrcUserEmail\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess",
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}