Azure AD Global Administrator Role Assigned

In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2022/01/06"
 3integration = ["azure"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator
11is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD
12identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and
13Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all
14subscriptions and their settings and resources.
15"""
16from = "now-25m"
17index = ["filebeat-*", "logs-azure*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Azure AD Global Administrator Role Assigned"
21note = """## Setup
22
23The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
24references = [
25    "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator",
26]
27risk_score = 47
28rule_id = "04c5a96f-19c5-44fd-9571-a0b033f9086f"
29severity = "medium"
30tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Persistence"]
31timestamp_override = "event.ingested"
32type = "query"
33
34query = '''
35event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and
36azure.auditlogs.operation_name:"Add member to role" and
37azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:"\"Global Administrator\""
38'''
39
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1098"
45name = "Account Manipulation"
46reference = "https://attack.mitre.org/techniques/T1098/"
47[[rule.threat.technique.subtechnique]]
48id = "T1098.003"
49name = "Additional Cloud Roles"
50reference = "https://attack.mitre.org/techniques/T1098/003/"
51
52
53
54[rule.threat.tactic]
55id = "TA0003"
56name = "Persistence"
57reference = "https://attack.mitre.org/tactics/TA0003/"

Setup

The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top