Azure Global Administrator Role Addition to PIM User

calendar Jun 22, 2023 · Domain: Cloud Data Source: Azure Use Case: Identity and Access Audit Tactic: Persistence  ·
Share on: linkedin copy

Identifies an Azure Active Directory (AD) Global Administrator role addition to a Privileged Identity Management (PIM) user account. PIM is a service that enables you to manage, control, and monitor access to important resources in an organization. Users who are assigned to the Global administrator role can read and modify any administrative setting in your Azure AD organization.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/24"
 3integration = ["azure"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies an Azure Active Directory (AD) Global Administrator role addition to a Privileged Identity Management (PIM)
13user account. PIM is a service that enables you to manage, control, and monitor access to important resources in an
14organization. Users who are assigned to the Global administrator role can read and modify any administrative setting in
15your Azure AD organization.
16"""
17false_positives = [
18    """
19    Global administrator additions may be done by a system or network administrator. Verify whether the username,
20    hostname, and/or resource name should be making changes in your environment. Global administrator additions from
21    unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted
22    from the rule.
23    """,
24]
25index = ["filebeat-*", "logs-azure*"]
26language = "kuery"
27license = "Elastic License v2"
28name = "Azure Global Administrator Role Addition to PIM User"
29note = """## Setup
30
31The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
32references = [
33    "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles",
34]
35risk_score = 73
36rule_id = "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8"
37severity = "high"
38tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Persistence"]
39timestamp_override = "event.ingested"
40type = "query"
41
42query = '''
43event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and
44    azure.auditlogs.operation_name:("Add eligible member to role in PIM completed (permanent)" or
45                                    "Add member to role in PIM completed (timebound)") and
46    azure.auditlogs.properties.target_resources.*.display_name:"Global Administrator" and
47    event.outcome:(Success or success)
48'''
49
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53[[rule.threat.technique]]
54id = "T1098"
55name = "Account Manipulation"
56reference = "https://attack.mitre.org/techniques/T1098/"
57
58
59[rule.threat.tactic]
60id = "TA0003"
61name = "Persistence"
62reference = "https://attack.mitre.org/tactics/TA0003/"

Setup

The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top