Microsoft 365 Global Administrator Role Assigned
In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/01/06"
3integration = ["o365"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator
11is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD
12identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and
13Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all
14subscriptions and their settings and resources.
15"""
16from = "now-25m"
17index = ["filebeat-*", "logs-o365*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Microsoft 365 Global Administrator Role Assigned"
21note = """## Setup
22
23The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
24references = [
25 "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator",
26]
27risk_score = 47
28rule_id = "88671231-6626-4e1b-abb7-6e361a171fbb"
29severity = "medium"
30tags = [
31 "Domain: Cloud",
32 "Data Source: Microsoft 365",
33 "Use Case: Identity and Access Audit",
34 "Tactic: Persistence",
35]
36timestamp_override = "event.ingested"
37type = "query"
38
39query = '''
40event.dataset:o365.audit and event.code:"AzureActiveDirectory" and event.action:"Add member to role." and
41o365.audit.ModifiedProperties.Role_DisplayName.NewValue:"Global Administrator"
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1098"
49name = "Account Manipulation"
50reference = "https://attack.mitre.org/techniques/T1098/"
51[[rule.threat.technique.subtechnique]]
52id = "T1098.003"
53name = "Additional Cloud Roles"
54reference = "https://attack.mitre.org/techniques/T1098/003/"
55
56
57
58[rule.threat.tactic]
59id = "TA0003"
60name = "Persistence"
61reference = "https://attack.mitre.org/tactics/TA0003/"
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Microsoft 365 Exchange Management Group Role Assignment
- AWS IAM Group Creation
- AWS IAM User Addition to Group
- Azure AD Global Administrator Role Assigned
- Azure Automation Account Created