Account Created And Deleted Within A Close Time Frame
Detects when an account was created and deleted in a short period of time.
Sigma rule (View on GitHub)
1title: Account Created And Deleted Within A Close Time Frame
2id: 6f583da0-3a90-4566-a4ed-83c09fe18bbf
3status: test
4description: Detects when an account was created and deleted in a short period of time.
5references:
6 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts
7author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton
8date: 2022-08-11
9modified: 2022-08-18
10tags:
11 - attack.defense-evasion
12 - attack.t1078
13logsource:
14 product: azure
15 service: auditlogs
16detection:
17 selection:
18 properties.message:
19 - Add user
20 - Delete user
21 Status: Success
22 condition: selection
23falsepositives:
24 - Legit administrative action
25level: high
References
-
Guidance to establish baselines and how to monitor and alert on potential security issues with user accounts.
Read More
Related rules
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address
- Application Using Device Code Authentication Flow
- Applications That Are Using ROPC Authentication Flow
- Atypical Travel