id: 3f21e7e2-0226-412c-87f0-262700a64db0 name: Bitglass - Risky users description: | 'Query searches for risky users.' severity: Medium requiredDataConnectors: - connectorId: Bitglass dataTypes: - Bitglass tactics: - InitialAccess relevantTechniques: - T1078 query: | Bitglass | where TimeGenerated > ago(24h) | where EventType =~ 'access' | where EventResultDetails has_all ('Added', 'Risky Users') | extend AccountCustomEntity = User entityMappings: - entityType: Account fieldMappings: - identifier: Name columnName: AccountCustomEntity