Detectionhightest

Account Created And Deleted Within A Close Time Frame

Detects when an account was created and deleted in a short period of time.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Mark Morowczynski, Mike Duddington, Tim SheltonCreated Thu Aug 11Updated Thu Aug 186f583da0-3a90-4566-a4ed-83c09fe18bbfcloud

Log Source

Azureauditlogs

ProductAzure← raw: azure

Serviceauditlogs← raw: auditlogs

Detection Logic

detection:
    selection:
        properties.message:
            - Add user
            - Delete user
        Status: Success
    condition: selection

False Positives

Legit administrative action

References

Resolving title…

learn.microsoft.com

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0003 · Persistence TA0001 · Initial Access TA0005 · Defense Evasion

Techniques

T1078 · Valid Accounts

Rule Metadata

Rule ID

6f583da0-3a90-4566-a4ed-83c09fe18bbf

Status

test

Level

high

Type

Detection

Created

Thu Aug 11

Modified

Thu Aug 18

Author

Mark Morowczynski, Mike Duddington, Tim Shelton

Path

rules/cloud/azure/audit_logs/azure_ad_account_created_deleted.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.initial-accessattack.defense-evasionattack.t1078

View on GitHub