Bulk Deletion Changes To Privileged Account Permissions
Detects when a user is removed from a privileged role. Bulk changes should be investigated.
Sigma rule (View on GitHub)
1title: Bulk Deletion Changes To Privileged Account Permissions
2id: 102e11e3-2db5-4c9e-bc26-357d42585d21
3status: test
4description: Detects when a user is removed from a privileged role. Bulk changes should be investigated.
5references:
6 - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment
7author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
8date: 2022/08/05
9tags:
10 - attack.persistence
11 - attack.t1098
12logsource:
13 product: azure
14 service: auditlogs
15detection:
16 selection:
17 properties.message:
18 - Remove eligible member (permanent)
19 - Remove eligible member (eligible)
20 condition: selection
21falsepositives:
22 - Legtimate administrator actions of removing members from a role
23level: high
References
Related rules
- Privileged User Has Been Created
- AWS IAM Backdoor Users Keys
- AWS Route 53 Domain Transfer Lock Disabled
- AWS Route 53 Domain Transferred to Another Account
- AWS User Login Profile Was Modified