Activity Performed by Terminated User
Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company.
Sigma rule (View on GitHub)
1title: Activity Performed by Terminated User
2id: 2e669ed8-742e-4fe5-b3c4-5a59b486c2ee
3status: test
4description: |
5 Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce.
6 This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company.
7references:
8 - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
9 - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
10author: Austin Songer @austinsonger
11date: 2021-08-23
12modified: 2022-10-09
13tags:
14 - attack.impact
15logsource:
16 service: threat_management
17 product: m365
18detection:
19 selection:
20 eventSource: SecurityComplianceCenter
21 eventName: 'Activity performed by terminated user'
22 status: success
23 condition: selection
24falsepositives:
25 - Unknown
26level: medium
References
-
This article provides a description of Anomaly detection policies and provides reference information about the building blocks of an anomaly detection policy.
Read More -
This article provides information on policy templates included in Microsoft Defender for Cloud Apps.
Read More
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AWS EC2 Disable EBS Encryption
- AWS EFS Fileshare Modified or Deleted
- AWS EFS Fileshare Mount Modified or Deleted