Microsoft 365 Exchange Management Group Role Assignment
Identifies when a new role is assigned to a management group in Microsoft 365. An adversary may attempt to add a role in order to maintain persistence in an environment.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/20"
3integration = ["o365"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration."
6min_stack_version = "8.8.0"
7updated_date = "2024/04/02"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies when a new role is assigned to a management group in Microsoft 365. An adversary may attempt to add a role in
13order to maintain persistence in an environment.
14"""
15false_positives = [
16 """
17 A new role may be assigned to a management group by a system or network administrator. Verify that the configuration
18 change was expected. Exceptions can be added to this rule to filter expected behavior.
19 """,
20]
21from = "now-30m"
22index = ["filebeat-*", "logs-o365*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "Microsoft 365 Exchange Management Group Role Assignment"
26note = """## Setup
27
28The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
29references = [
30 "https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps",
31 "https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide",
32]
33risk_score = 47
34rule_id = "98995807-5b09-4e37-8a54-5cae5dc932d7"
35severity = "medium"
36tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Persistence"]
37timestamp_override = "event.ingested"
38type = "query"
39
40query = '''
41event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:"New-ManagementRoleAssignment" and event.outcome:success
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1098"
49name = "Account Manipulation"
50reference = "https://attack.mitre.org/techniques/T1098/"
51
52
53[rule.threat.tactic]
54id = "TA0003"
55name = "Persistence"
56reference = "https://attack.mitre.org/tactics/TA0003/"
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
-
When you add a new role assignment, you can specify a built-in or custom role that was created using the New-ManagementRole cmdlet and specify an organizational unit (OU) or predefined or custom management scope to restrict the assignment. You can create custom management scopes using the New-ManagementScope cmdlet and can view a list of existing scopes using the Get-ManagementScope cmdlet. If you choose not to specify an OU, or predefined or custom scope, the implicit write scope of the role applies to the role assignment. For more information about management role assignments, see Understanding management role assignments. You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.
Read More -
Learn about admin roles, such as the global admin role, or the service admin role. Roles map to specific business functions and give permissions to do specific tasks in the Microsoft 365 admin center.
Read More
Related rules
- Microsoft 365 Global Administrator Role Assigned
- Attempts to Brute Force a Microsoft 365 User Account
- Microsoft 365 Exchange DKIM Signing Configuration Disabled
- Microsoft 365 Exchange Safe Link Policy Disabled
- Microsoft 365 Teams Custom Application Interaction Allowed