User Added To Privilege Role

 1title: User Added To Privilege Role
 2id: 49a268a4-72f4-4e38-8a7b-885be690c5b5
 3status: test
 4description: Detects when a user is added to a privileged role.
 5references:
 6    - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment
 7author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
 8date: 2022/08/06
 9tags:
10    - attack.privilege_escalation
11    - attack.defense_evasion
12    - attack.t1078.004
13logsource:
14    product: azure
15    service: auditlogs
16detection:
17    selection:
18        properties.message:
19            - Add eligible member (permanent)
20            - Add eligible member (eligible)
21    condition: selection
22falsepositives:
23    - Legtimate administrator actions of adding members from a role
24level: high

References

• Microsoft Entra security operations for Privileged Identity Management - Microsoft Entra

  

  Establish baselines and use Microsoft Entra Privileged Identity Management (PIM) to monitor and alert on issues with accounts governed by PIM.

  
  Read More

Related rules

• Users Added to Global or Device Admin Roles
• Abuse of Service Permissions to Hide Services Via Set-Service
• Abuse of Service Permissions to Hide Services Via Set-Service - PS
• Account Tampering - Suspicious Failed Logon Reasons
• Application AppID Uri Configuration Changes