MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1136 Create Account |
Rule body yaml
# Monitors for useraccount creation and adds an entry to the KVStore for the user. This depends on the
# event_type of USER_ACCOUNT_CREATED to be in the data model for the log source and will work in tandem
# with a helper function that checks for the userid in the KV store.
# This is rule is explicitly looking for accounts associated with a userid, not automation accounts that
# May have no user associated
AnalysisType: rule
Filename: new_user_account_logging.py
RuleID: "Standard.NewUserAccountCreated"
DisplayName: "New User Account Created"
Enabled: true
LogTypes:
- OneLogin.Events
- AWS.CloudTrail
- Zoom.Operation
Tags:
- DataModel
- Indicator Collection
- OneLogin
- Persistence:Create Account
Severity: Info
Reports:
MITRE ATT&CK:
- TA0003:T1136
Stratus Red Team:
- aws.persistence.iam-create-admin-user
Description: A new account was created
Runbook: A new user account was created, ensure it was created through standard practice and is for a valid purpose.
Reference: https://attack.mitre.org/techniques/T1136/001/
SummaryAttributes:
- p_any_usernames
Tests:
- Name: User Creation Event - OneLogin
ExpectedResult: true
Mocks:
- objectName: put_string_set
returnValue: >-
Log:
{
"event_type_id": 13,
"actor_user_id": 123456,
"user_id": 12345,
"actor_user_name": "Bob Cat",
"user_name": "Bob Cat",
"p_event_time": "2021-06-27 00:08:28.792Z",
"p_log_type": "OneLogin.Events",
"p_row_id": "aaaaaaaabbbbbbbbbbbbccccccccc",
}
- Name: Standard Login Event - OneLogin
ExpectedResult: false
Log:
{
"event_type_id": 5,
"actor_user_id": 123456,
"actor_user_name": "Bob Cat",
"user_name": "Bob Cat",
"user_id": 12345,
"ipaddr": "192.168.1.1",
"p_event_time": "2021-06-27 00:08:28.792Z",
"p_log_type": "OneLogin.Events",
"p_row_id": "aaaaaaaabbbbbbbbbbbbccccccccc",
}
- Name: User Account Created - CloudTrail
ExpectedResult: true
Mocks:
- objectName: put_string_set
returnValue: >-
Log:
{
eventName: "CreateUser",
responseElements: { user: { userName: "Bob Cat", userId: "12345" } },
"p_event_time": "2021-08-31 15:46:02.000000000",
"p_log_type": "AWS.CloudTrail",
"p_row_id": "aaaaaaaabbbbbbbbbbbbccccccccc",
}
- Name: Normal Console Login - CloudTrail
ExpectedResult: false
Log:
{
"userIdentity": { "type": "IAMUser", "userName": "some_user" },
"eventName": "ConsoleLogin",
"responseElements": { "ConsoleLogin": "Success" },
"p_event_time": "2021-06-04 09:59:53.650807",
"p_row_id": "aaaaaaaabbbbbbbbbbbbccccccccc",
"p_log_type": "AWS.CloudTrail",
}
- Name: User Creation Event - Zoom
ExpectedResult: true
Mocks:
- objectName: put_string_set
returnValue: >-
Log:
{
"action": "Add",
"category_type": "User",
"operation_detail": "Add User homer@simpson.io - User Type: Basic - Department: Foo",
"operator": "abe@simpson.io",
"p_log_type": "Zoom.Operation",
"p_event_time": "2021-06-27 00:08:28.792Z",
}
Detection logic
Condition
event_type eq "user_account_created"
This rule also runs imperative logic the parser cannot express as a filter; the conditions above are the structured part it could extract.
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
event_type | eq |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field |
|---|
user |