User Added To Privilege Role
Detects when a user is added to a privileged role.
Sigma rule (View on GitHub)
1title: User Added To Privilege Role
2id: 49a268a4-72f4-4e38-8a7b-885be690c5b5
3status: test
4description: Detects when a user is added to a privileged role.
5references:
6 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
7author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
8date: 2022-08-06
9tags:
10 - attack.privilege-escalation
11 - attack.defense-evasion
12 - attack.t1078.004
13logsource:
14 product: azure
15 service: auditlogs
16detection:
17 selection:
18 properties.message:
19 - Add eligible member (permanent)
20 - Add eligible member (eligible)
21 condition: selection
22falsepositives:
23 - Legtimate administrator actions of adding members from a role
24level: high
References
-
Establish baselines and use Microsoft Entra Privileged Identity Management (PIM) to monitor and alert on issues with accounts governed by PIM.
Read More
Related rules
- Github New Secret Created
- Github Self Hosted Runner Changes Detected
- Users Added to Global or Device Admin Roles
- APT PRIVATELOG Image Load Pattern
- AWS Root Credentials