Users Added to Global or Device Admin Roles

Oct 17, 2023 · attack.defense_evasion attack.privilege_escalation attack.t1078.004 ·

Monitor and alert for users added to device admin roles.

Sigma rule (View on GitHub)

 1title: Users Added to Global or Device Admin Roles
 2id: 11c767ae-500b-423b-bae3-b234450736ed
 3status: test
 4description: Monitor and alert for users added to device admin roles.
 5references:
 6    - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-administrator-roles
 7author: Michael Epping, '@mepples21'
 8date: 2022/06/28
 9tags:
10    - attack.defense_evasion
11    - attack.privilege_escalation
12    - attack.t1078.004
13logsource:
14    product: azure
15    service: auditlogs
16detection:
17    selection:
18        Category: RoleManagement
19        OperationName|contains|all:
20            - 'Add'
21            - 'member to role'
22        TargetResources|contains:
23            - '7698a772-787b-4ac8-901f-60d6b08affd2'
24            - '62e90394-69f5-4237-9190-012177145e10'
25    condition: selection
26falsepositives:
27    - Unknown
28level: high

References

Microsoft Entra security operations for devices - Microsoft Entra

Learn to establish baselines, and monitor and report on devices to identity potential security risks with devices.

Read More

Users Added to Global or Device Admin Roles

Sigma rule (View on GitHub)

References

Microsoft Entra security operations for devices - Microsoft Entra

Related rules