Azure AD Global Administrator Role Assigned
In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/01/06"
3integration = ["azure"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator
13is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD
14identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and
15Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all
16subscriptions and their settings and resources.
17"""
18from = "now-25m"
19index = ["filebeat-*", "logs-azure*"]
20language = "kuery"
21license = "Elastic License v2"
22name = "Azure AD Global Administrator Role Assigned"
23note = """## Setup
24
25The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
26references = [
27 "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator",
28]
29risk_score = 47
30rule_id = "04c5a96f-19c5-44fd-9571-a0b033f9086f"
31severity = "medium"
32tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Persistence"]
33timestamp_override = "event.ingested"
34type = "query"
35
36query = '''
37event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and
38azure.auditlogs.operation_name:"Add member to role" and
39azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:"\"Global Administrator\""
40'''
41
42
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45[[rule.threat.technique]]
46id = "T1098"
47name = "Account Manipulation"
48reference = "https://attack.mitre.org/techniques/T1098/"
49[[rule.threat.technique.subtechnique]]
50id = "T1098.003"
51name = "Additional Cloud Roles"
52reference = "https://attack.mitre.org/techniques/T1098/003/"
53
54
55
56[rule.threat.tactic]
57id = "TA0003"
58name = "Persistence"
59reference = "https://attack.mitre.org/tactics/TA0003/"
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Azure Automation Account Created
- Azure Global Administrator Role Addition to PIM User
- Azure Privilege Identity Management Role Modified
- Multi-Factor Authentication Disabled for an Azure User
- Azure Active Directory High Risk Sign-in