Bulk Deletion Changes To Privileged Account Permissions

Aug 12, 2024 · attack.persistence attack.t1098 ·

Detects when a user is removed from a privileged role. Bulk changes should be investigated.

Sigma rule (View on GitHub)

 1title: Bulk Deletion Changes To Privileged Account Permissions
 2id: 102e11e3-2db5-4c9e-bc26-357d42585d21
 3status: test
 4description: Detects when a user is removed from a privileged role. Bulk changes should be investigated.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
 7author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
 8date: 2022-08-05
 9tags:
10    - attack.persistence
11    - attack.t1098
12logsource:
13    product: azure
14    service: auditlogs
15detection:
16    selection:
17        properties.message:
18            - Remove eligible member (permanent)
19            - Remove eligible member (eligible)
20    condition: selection
21falsepositives:
22    - Legtimate administrator actions of removing members from a role
23level: high

References

Microsoft Entra security operations for Privileged Identity Management - Microsoft Entra

Establish baselines and use Microsoft Entra Privileged Identity Management (PIM) to monitor and alert on issues with accounts governed by PIM.

Read More

Bulk Deletion Changes To Privileged Account Permissions

Sigma rule (View on GitHub)

References

Microsoft Entra security operations for Privileged Identity Management - Microsoft Entra

Related rules