Microsoft 365 Exchange Management Group Role Assignment
Identifies when a new role is assigned to a management group in Microsoft 365. An adversary may attempt to add a role in order to maintain persistence in an environment.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/20"
3integration = ["o365"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies when a new role is assigned to a management group in Microsoft 365. An adversary may attempt to add a role in
11order to maintain persistence in an environment.
12"""
13false_positives = [
14 """
15 A new role may be assigned to a management group by a system or network administrator. Verify that the configuration
16 change was expected. Exceptions can be added to this rule to filter expected behavior.
17 """,
18]
19from = "now-30m"
20index = ["filebeat-*", "logs-o365*"]
21language = "kuery"
22license = "Elastic License v2"
23name = "Microsoft 365 Exchange Management Group Role Assignment"
24note = """## Setup
25
26The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
27references = [
28 "https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps",
29 "https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide",
30]
31risk_score = 47
32rule_id = "98995807-5b09-4e37-8a54-5cae5dc932d7"
33severity = "medium"
34tags = [
35 "Domain: Cloud",
36 "Data Source: Microsoft 365",
37 "Use Case: Identity and Access Audit",
38 "Tactic: Persistence",
39]
40timestamp_override = "event.ingested"
41type = "query"
42
43query = '''
44event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-ManagementRoleAssignment" and event.outcome:success
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1098"
52name = "Account Manipulation"
53reference = "https://attack.mitre.org/techniques/T1098/"
54
55
56[rule.threat.tactic]
57id = "TA0003"
58name = "Persistence"
59reference = "https://attack.mitre.org/tactics/TA0003/"
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
When you add a new role assignment, you can specify a built-in or custom role that was created using the New-ManagementRole cmdlet and specify an organizational unit (OU) or predefined or custom management scope to restrict the assignment. You can create custom management scopes using the New-ManagementScope cmdlet and can view a list of existing scopes using the Get-ManagementScope cmdlet. If you choose not to specify an OU, or predefined or custom scope, the implicit write scope of the role applies to the role assignment. For more information about management role assignments, see Understanding management role assignments. You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.
Read More -
Learn about admin roles, such as the global admin role, or the service admin role. Roles map to specific business functions and give permissions to do specific tasks in the Microsoft 365 admin center.
Read More
Related rules
- Microsoft 365 Global Administrator Role Assigned
- AWS IAM Group Creation
- AWS IAM User Addition to Group
- Azure AD Global Administrator Role Assigned
- Azure Automation Account Created