Privileged Account Creation

 1title: Privileged Account Creation
 2id: f7b5b004-dece-46e4-a4a5-f6fd0e1c6947
 3status: test
 4description: Detects when a new admin is created.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#changes-to-privileged-accounts
 7author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H', Tim Shelton
 8date: 2022-08-11
 9modified: 2022-08-16
10tags:
11    - attack.persistence
12    - attack.privilege-escalation
13    - attack.t1078.004
14logsource:
15    product: azure
16    service: auditlogs
17detection:
18    selection:
19        properties.message|contains|all:
20            - Add user
21            - Add member to role
22        Status: Success
23    condition: selection
24falsepositives:
25    - A legitimate new admin account being created
26level: medium

References

• Security operations for privileged accounts in Microsoft Entra ID - Microsoft Entra

  

  Learn about baselines, and how to monitor and alert on potential security issues with privileged accounts in Microsoft Entra ID.

  
  Read More

Related rules

• Application AppID Uri Configuration Changes
• Application URI Configuration Changes
• Changes To PIM Settings
• Github New Secret Created
• Github SSH Certificate Configuration Changed