
Summary
The "Crowdstrike User Deleted" detection rule is designed to monitor and alert on the unauthorized deletion of multiple user accounts within a CrowdStrike environment. This rule is triggered when a specified threshold of three successful user deletion events occurs within a one-hour deduplication period. Upon activation, the rule prompts immediate verification to ascertain whether the deletions were authorized. The rule leverages event streams from the Crowdstrike platform, specifically targeting logs categorized as 'AuthActivityAuditEvent'. It is categorized with a high severity level due to the potential implications of multiple user deletions, which may indicate malicious activity or administrative errors. The rule also references the MITRE ATT&CK framework, particularly under the tactic of Defense Evasion (T1070), highlighting its relevance in tracking potential obfuscation practices during malicious operations. Additionally, the rule includes various test cases to assess functionality, ensuring it correctly identifies both successful and unsuccessful deletion attempts, while also filtering out unrelated events. The overall aim of this detection rule is to enhance security monitoring capabilities by flagging suspicious user deletion activities, thereby minimizing the risk of unauthorized access and maintaining the integrity of user accounts.
Categories
- Cloud
- Identity Management
Data Sources
- User Account
- Application Log
ATT&CK Techniques
- T1070
Created: 2024-07-22