Granting Of Permissions To An Account
Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
Sigma rule (View on GitHub)
1title: Granting Of Permissions To An Account
2id: a622fcd2-4b5a-436a-b8a2-a4171161833c
3status: test
4description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
5references:
6 - https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml
7author: sawwinnnaung
8date: 2020-05-07
9modified: 2023-10-11
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.t1098.003
14logsource:
15 product: azure
16 service: activitylogs
17detection:
18 keywords:
19 - Microsoft.Authorization/roleAssignments/write
20 condition: keywords
21falsepositives:
22 - Valid change
23level: medium
References
-
Cloud-native SIEM for intelligent security analytics for your entire enterprise. - Azure/Azure-Sentinel
Read More
Related rules
- Github Outside Collaborator Detected
- Okta Admin Role Assigned to an User or Group
- User Added to an Administrator's Azure AD Role
- Google Workspace Application Access Level Modified
- App Assigned To Azure RBAC/Microsoft Entra Role