Microsoft Entra ID Elevated Access to User Access Administrator

  1[metadata]
  2creation_date = "2025/05/22"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2025/05/22"
  6
  7[rule]
  8author = ["Elastic", "Austin Songer"]
  9description = """
 10Identifies when a user has elevated their access to User Access Administrator for their Azure Resources. The User Access
 11Administrator role allows users to manage user access to Azure resources, including the ability to assign roles and
 12permissions. Adversaries may target an Entra ID Global Administrator or other privileged role to elevate their access to
 13User Access Administrator, which can lead to further privilege escalation and unauthorized access to sensitive
 14resources. This is a New Terms rule that only signals if the user principal name has not been seen doing this activity
 15in the last 14 days.
 16"""
 17from = "now-9m"
 18index = ["filebeat-*", "logs-azure.auditlogs-*"]
 19language = "kuery"
 20license = "Elastic License v2"
 21name = "Microsoft Entra ID Elevated Access to User Access Administrator"
 22note = """## Triage and Analysis
 23
 24### Investigating Microsoft Entra ID Elevated Access to User Access Administrator
 25
 26This rule identifies when a user elevates their permissions to the "User Access Administrator" role in Microsoft Entra ID (Azure AD). This role allows full control over access management for Azure resources and can be abused by attackers for lateral movement, persistence, or privilege escalation. Since this is a **New Terms** rule, the alert will only trigger if the user has not performed this elevation in the past 14 days, helping reduce alert fatigue.
 27
 28### Possible investigation steps
 29
 30- Review the `azure.auditlogs.properties.initiated_by.user.userPrincipalName` field to identify the user who elevated access.
 31- Check `source.ip` and associated `source.geo.*` fields to determine the origin of the action. Confirm whether the IP, ASN, and location are expected for this user.
 32- Investigate the application ID from `azure.auditlogs.properties.additional_details.value` to determine which interface or method was used to elevate access.
 33- Pivot to Azure `signinlogs` or Entra `auditlogs` to:
 34  - Review recent login history for the user.
 35  - Look for unusual sign-in patterns or MFA prompts.
 36  - Determine whether the account has performed any other privilege-related operations.
 37- Correlate with directory role assignments or role-based access control (RBAC) modifications to assess whether the elevated access was used to add roles or modify permissions.
 38
 39### False positive analysis
 40
 41- Legitimate admin actions may involve access elevation during maintenance, migration, or investigations.
 42- Some IT departments may elevate access temporarily without leaving structured change records.
 43- Review internal tickets, change logs, or admin activity dashboards for approved operations.
 44
 45### Response and remediation
 46
 47- If elevation was not authorized:
 48  - Immediately remove the User Access Administrator role from the account.
 49  - Disable or lock the account and begin credential rotation.
 50  - Audit activity performed by the account after elevation, especially changes to role assignments and resource access.
 51- If suspicious:
 52  - Notify the user and confirm whether they performed the action.
 53  - Check for any automation or scripts that could be exploiting unused elevated access paths.
 54  - Review conditional access and PIM (Privileged Identity Management) configurations to limit elevation without approval.
 55- Strengthen posture:
 56  - Require MFA and approval for all privilege escalation actions.
 57  - Consider enabling JIT (Just-in-Time) access with expiration.
 58  - Add alerts for repeated or unusual use of `Microsoft.Authorization/elevateAccess/action`.
 59
 60"""
 61references = [
 62    "https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal%2Centra-audit-logs/",
 63    "https://permiso.io/blog/azures-apex-permissions-elevate-access-the-logs-security-teams-overlook",
 64]
 65risk_score = 47
 66rule_id = "8d9c4128-372a-11f0-9d8f-f661ea17fbcd"
 67severity = "medium"
 68tags = [
 69    "Domain: Cloud",
 70    "Data Source: Azure",
 71    "Data Source: Microsoft Entra ID",
 72    "Data Source: Microsoft Entra ID Audit Logs",
 73    "Use Case: Identity and Access Audit",
 74    "Tactic: Privilege Escalation",
 75    "Resources: Investigation Guide",
 76]
 77timestamp_override = "event.ingested"
 78type = "new_terms"
 79
 80query = '''
 81event.dataset: azure.auditlogs
 82    and azure.auditlogs.operation_name: "User has elevated their access to User Access Administrator for their Azure Resources"
 83    and event.outcome: "success"
 84'''
 85
 86
 87[[rule.threat]]
 88framework = "MITRE ATT&CK"
 89[[rule.threat.technique]]
 90id = "T1098"
 91name = "Account Manipulation"
 92reference = "https://attack.mitre.org/techniques/T1098/"
 93[[rule.threat.technique.subtechnique]]
 94id = "T1098.003"
 95name = "Additional Cloud Roles"
 96reference = "https://attack.mitre.org/techniques/T1098/003/"
 97
 98
 99
100[rule.threat.tactic]
101id = "TA0004"
102name = "Privilege Escalation"
103reference = "https://attack.mitre.org/tactics/TA0004/"
104
105[rule.new_terms]
106field = "new_terms_fields"
107value = ["azure.auditlogs.properties.initiated_by.user.userPrincipalName"]
108[[rule.new_terms.history_window_start]]
109field = "history_window_start"
110value = "now-14d"