Sentinel One - New admin created

Back


Id	e73d293d-966c-47ec-b8e0-95255755f12c
Rulename	Sentinel One - New admin created
Description	Detects when new admin user is created.
Severity	Medium
Tactics	PrivilegeEscalation
Techniques	T1078
Required data connectors	SentinelOne
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneNewAdmin.yaml
Version	1.0.0
Arm template	e73d293d-966c-47ec-b8e0-95255755f12c.json

KQL

SentinelOne
| where ActivityType == 23
| extend AccountCustomEntity = SrcUserName

YAML

queryFrequency: 1h
triggerOperator: gt
tactics:
- PrivilegeEscalation
description: |
    'Detects when new admin user is created.'
status: Available
relevantTechniques:
- T1078
name: Sentinel One - New admin created
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneNewAdmin.yaml
severity: Medium
triggerThreshold: 0
version: 1.0.0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
query: |
  SentinelOne
  | where ActivityType == 23
  | extend AccountCustomEntity = SrcUserName  
id: e73d293d-966c-47ec-b8e0-95255755f12c
requiredDataConnectors:
- connectorId: SentinelOne
  dataTypes:
  - SentinelOne
kind: Scheduled
queryPeriod: 1h

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e73d293d-966c-47ec-b8e0-95255755f12c')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e73d293d-966c-47ec-b8e0-95255755f12c')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Sentinel One - New admin created",
        "description": "'Detects when new admin user is created.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "SentinelOne\n| where ActivityType == 23\n| extend AccountCustomEntity = SrcUserName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078"
        ],
        "alertRuleTemplateName": "e73d293d-966c-47ec-b8e0-95255755f12c",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "Name",
                "columnName": "AccountCustomEntity"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneNewAdmin.yaml",
        "status": "Available",
        "templateVersion": "1.0.0"
      }
    }
  ]
}