M365 SharePoint Site Administrator Added

  1[metadata]
  2creation_date = "2026/03/02"
  3integration = ["o365"]
  4maturity = "production"
  5updated_date = "2026/03/02"
  6
  7[rule]
  8author = ["Elastic", "Austin Songer"]
  9description = """
 10Identifies when a new SharePoint Site Administrator is added in Microsoft 365. Site Administrators
 11have full control over SharePoint Sites, including the ability to manage permissions, access all content, and
 12modify site settings. Adversaries who compromise a privileged account may add themselves or a controlled account as a
 13Site Administrator to maintain persistent, high-privilege access to sensitive SharePoint data. This technique
 14was notably observed in the 0mega ransomware campaign, where attackers elevated privileges to exfiltrate data and deploy
 15ransom notes across SharePoint sites.
 16"""
 17false_positives = [
 18    "Legitimate IT administrators adding Site admins as part of routine SharePoint site management.",
 19    "Automated provisioning tools or scripts that assign Site admin roles during site creation workflows.",
 20    "Organizational restructuring where site ownership is being transferred to new administrators.",
 21]
 22from = "now-9m"
 23index = ["filebeat-*", "logs-o365.audit-*"]
 24language = "kuery"
 25license = "Elastic License v2"
 26name = "M365 SharePoint Site Administrator Added"
 27note = """## Triage and Analysis
 28
 29### Investigating M365 SharePoint Site Administrator Added
 30
 31Site Administrators in SharePoint Online have full control over a Site, including the ability to manage permissions, access all content, and configure site-level settings. Adversaries who gain access to a privileged account may assign Site Administrator rights to maintain persistent access or facilitate data exfiltration. The `SiteCollectionAdminAdded` audit event is logged when this privilege is granted.
 32
 33#### Possible Investigation Steps
 34
 35- Review the `user.id` field to determine who performed the action. Assess whether this user normally manages SharePoint site permissions.
 36- Examine the `o365.audit.ModifiedProperties.SiteAdmin.NewValue` field to identify the account that was granted Site Administrator privileges.
 37- Check the `o365.audit.SiteUrl` or `url.original` to determine which Site was targeted. Assess the sensitivity of the data stored in this site.
 38- Review the `o365.audit.TargetUserOrGroupName` and `o365.audit.TargetUserOrGroupType` fields for additional context on the target principal.
 39- Pivot to sign-in logs for the acting account to look for anomalies such as logins from unfamiliar locations, devices, or IP ranges.
 40- Investigate whether the newly added admin account has performed subsequent actions such as file downloads, permission changes, or sharing link creation.
 41- Check for other recent `SiteCollectionAdminAdded` events to determine if multiple Sites were targeted in a short time frame, which may indicate bulk privilege escalation.
 42
 43### False Positive Analysis
 44
 45- Routine SharePoint administration tasks by IT teams may trigger this alert. Correlate with change management tickets or scheduled maintenance windows.
 46- Automated provisioning tools that assign Site admin roles during site creation or migration workflows may generate expected alerts.
 47- Organizational changes such as team transitions or restructuring may involve legitimate Site admin reassignments.
 48
 49### Response and Remediation
 50
 51- If the admin addition is unauthorized, immediately remove the Site Administrator role from the suspicious account.
 52- Reset credentials for both the account that performed the action and the account that was added, especially if compromise is suspected.
 53- Review recent activity on the affected Site for signs of data exfiltration, permission changes, or content modifications.
 54- Enable or verify enforcement of MFA for all accounts with SharePoint administrative privileges.
 55- Audit the list of Site Administrators across all Sites to identify any other unauthorized additions.
 56- Consider implementing Privileged Access Management (PAM) or Privileged Identity Management (PIM) to require just-in-time elevation for SharePoint admin roles.
 57"""
 58references = [
 59    "https://learn.microsoft.com/en-us/purview/audit-log-activities#site-permissions-activities",
 60    "https://www.obsidiansecurity.com/blog/saas-ransomware-observed-sharepoint-microsoft-365/",
 61]
 62risk_score = 47
 63rule_id = "98ebd6a1-77db-4fe1-b4fd-1bd3c737b780"
 64severity = "medium"
 65tags = [
 66    "Domain: Cloud",
 67    "Domain: SaaS",
 68    "Domain: Identity",
 69    "Data Source: Microsoft 365",
 70    "Data Source: Microsoft 365 Audit Logs",
 71    "Use Case: Identity and Access Audit",
 72    "Tactic: Privilege Escalation",
 73    "Tactic: Persistence",
 74    "Resources: Investigation Guide",
 75]
 76timestamp_override = "event.ingested"
 77type = "query"
 78
 79query = '''
 80event.dataset:o365.audit
 81    and event.provider:(SharePoint or OneDrive)
 82    and event.category:web
 83    and event.action:SiteCollectionAdminAdded
 84    and event.outcome:success
 85'''
 86
 87
 88[[rule.threat]]
 89framework = "MITRE ATT&CK"
 90[[rule.threat.technique]]
 91id = "T1098"
 92name = "Account Manipulation"
 93reference = "https://attack.mitre.org/techniques/T1098/"
 94[[rule.threat.technique.subtechnique]]
 95id = "T1098.003"
 96name = "Additional Cloud Roles"
 97reference = "https://attack.mitre.org/techniques/T1098/003/"
 98
 99
100[rule.threat.tactic]
101id = "TA0004"
102name = "Privilege Escalation"
103reference = "https://attack.mitre.org/tactics/TA0004/"
104
105[[rule.threat]]
106framework = "MITRE ATT&CK"
107[[rule.threat.technique]]
108id = "T1098"
109name = "Account Manipulation"
110reference = "https://attack.mitre.org/techniques/T1098/"
111[[rule.threat.technique.subtechnique]]
112id = "T1098.003"
113name = "Additional Cloud Roles"
114reference = "https://attack.mitre.org/techniques/T1098/003/"
115
116
117[rule.threat.tactic]
118id = "TA0003"
119name = "Persistence"
120reference = "https://attack.mitre.org/tactics/TA0003/"