User Added To Privilege Role
Detects when a user is added to a privileged role.
Sigma rule (View on GitHub)
1title: User Added To Privilege Role
2id: 49a268a4-72f4-4e38-8a7b-885be690c5b5
3status: test
4description: Detects when a user is added to a privileged role.
5references:
6 - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment
7author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
8date: 2022/08/06
9tags:
10 - attack.privilege_escalation
11 - attack.defense_evasion
12 - attack.t1078.004
13logsource:
14 product: azure
15 service: auditlogs
16detection:
17 selection:
18 properties.message:
19 - Add eligible member (permanent)
20 - Add eligible member (eligible)
21 condition: selection
22falsepositives:
23 - Legtimate administrator actions of adding members from a role
24level: high
References
Related rules
- Users Added to Global or Device Admin Roles
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Tampering - Suspicious Failed Logon Reasons
- Application AppID Uri Configuration Changes