Microsoft 365 Global Administrator Role Assigned
In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/01/06"
3integration = ["o365"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration."
6min_stack_version = "8.8.0"
7updated_date = "2024/04/02"
8
9[rule]
10author = ["Elastic"]
11description = """
12In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator
13is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD
14identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and
15Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all
16subscriptions and their settings and resources.
17"""
18from = "now-25m"
19index = ["filebeat-*", "logs-o365*"]
20language = "kuery"
21license = "Elastic License v2"
22name = "Microsoft 365 Global Administrator Role Assigned"
23note = """## Setup
24
25The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
26references = [
27 "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator",
28]
29risk_score = 47
30rule_id = "88671231-6626-4e1b-abb7-6e361a171fbb"
31severity = "medium"
32tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Persistence"]
33timestamp_override = "event.ingested"
34type = "query"
35
36query = '''
37event.dataset:o365.audit and event.code:"AzureActiveDirectory" and event.action:"Add member to role." and
38o365.audit.ModifiedProperties.Role_DisplayName.NewValue:"Global Administrator"
39'''
40
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44[[rule.threat.technique]]
45id = "T1098"
46name = "Account Manipulation"
47reference = "https://attack.mitre.org/techniques/T1098/"
48[[rule.threat.technique.subtechnique]]
49id = "T1098.003"
50name = "Additional Cloud Roles"
51reference = "https://attack.mitre.org/techniques/T1098/003/"
52
53
54
55[rule.threat.tactic]
56id = "TA0003"
57name = "Persistence"
58reference = "https://attack.mitre.org/tactics/TA0003/"
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Microsoft 365 Exchange Management Group Role Assignment
- Attempts to Brute Force a Microsoft 365 User Account
- Microsoft 365 Exchange DKIM Signing Configuration Disabled
- Microsoft 365 Exchange Safe Link Policy Disabled
- Microsoft 365 Teams Custom Application Interaction Allowed