Users Added to Global or Device Admin Roles
Monitor and alert for users added to device admin roles.
Sigma rule (View on GitHub)
1title: Users Added to Global or Device Admin Roles
2id: 11c767ae-500b-423b-bae3-b234450736ed
3status: test
4description: Monitor and alert for users added to device admin roles.
5references:
6 - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-administrator-roles
7author: Michael Epping, '@mepples21'
8date: 2022/06/28
9tags:
10 - attack.defense_evasion
11 - attack.privilege_escalation
12 - attack.t1078.004
13logsource:
14 product: azure
15 service: auditlogs
16detection:
17 selection:
18 Category: RoleManagement
19 OperationName|contains|all:
20 - 'Add'
21 - 'member to role'
22 TargetResources|contains:
23 - '7698a772-787b-4ac8-901f-60d6b08affd2'
24 - '62e90394-69f5-4237-9190-012177145e10'
25 condition: selection
26falsepositives:
27 - Unknown
28level: high
References
Related rules
- User Added To Privilege Role
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Tampering - Suspicious Failed Logon Reasons
- Application AppID Uri Configuration Changes