Azure Subscription Permission Elevation Via ActivityLogs

Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.

Sigma rule (View on GitHub)

 1title: Azure Subscription Permission Elevation Via ActivityLogs
 2id: 09438caa-07b1-4870-8405-1dbafe3dad95
 3status: test
 4description: |
 5    Detects when a user has been elevated to manage all Azure Subscriptions.
 6    This change should be investigated immediately if it isn't planned.
 7    This setting could allow an attacker access to Azure subscriptions in your environment.    
 8references:
 9    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
10author: Austin Songer @austinsonger
11date: 2021-11-26
12modified: 2022-08-23
13tags:
14    - attack.initial-access
15    - attack.t1078.004
16logsource:
17    product: azure
18    service: activitylogs
19detection:
20    selection:
21        operationName: MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION
22    condition: selection
23falsepositives:
24    - If this was approved by System Administrator.
25level: high

References

Related rules

to-top