Bulk Deletion Changes To Privileged Account Permissions

Detects when a user is removed from a privileged role. Bulk changes should be investigated.

Sigma rule (View on GitHub)

 1title: Bulk Deletion Changes To Privileged Account Permissions
 2id: 102e11e3-2db5-4c9e-bc26-357d42585d21
 3status: test
 4description: Detects when a user is removed from a privileged role. Bulk changes should be investigated.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
 7author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
 8date: 2022/08/05
 9tags:
10    - attack.persistence
11    - attack.t1098
12logsource:
13    product: azure
14    service: auditlogs
15detection:
16    selection:
17        properties.message:
18            - Remove eligible member (permanent)
19            - Remove eligible member (eligible)
20    condition: selection
21falsepositives:
22    - Legtimate administrator actions of removing members from a role
23level: high

References

Related rules

to-top