Azure Subscription Permission Elevation Via AuditLogs

Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.

Sigma rule (View on GitHub)

 1title: Azure Subscription Permission Elevation Via AuditLogs
 2id: ca9bf243-465e-494a-9e54-bf9fc239057d
 3status: test
 4description: |
 5    Detects when a user has been elevated to manage all Azure Subscriptions.
 6    This change should be investigated immediately if it isn't planned.
 7    This setting could allow an attacker access to Azure subscriptions in your environment.    
 8references:
 9    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation
10author: Austin Songer @austinsonger
11date: 2021/11/26
12modified: 2022/12/25
13tags:
14    - attack.initial_access
15    - attack.t1078
16logsource:
17    product: azure
18    service: auditlogs
19detection:
20    selection:
21        Category: 'Administrative'
22        OperationName: 'Assigns the caller to user access admin'
23    condition: selection
24falsepositives:
25    - If this was approved by System Administrator.
26level: high

References

Related rules

to-top