Azure Subscription Permission Elevation Via AuditLogs
Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.
Sigma rule (View on GitHub)
1title: Azure Subscription Permission Elevation Via AuditLogs
2id: ca9bf243-465e-494a-9e54-bf9fc239057d
3status: test
4description: |
5 Detects when a user has been elevated to manage all Azure Subscriptions.
6 This change should be investigated immediately if it isn't planned.
7 This setting could allow an attacker access to Azure subscriptions in your environment.
8references:
9 - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#assignment-and-elevation
10author: Austin Songer @austinsonger
11date: 2021/11/26
12modified: 2022/12/25
13tags:
14 - attack.initial_access
15 - attack.t1078
16logsource:
17 product: azure
18 service: auditlogs
19detection:
20 selection:
21 Category: 'Administrative'
22 OperationName: 'Assigns the caller to user access admin'
23 condition: selection
24falsepositives:
25 - If this was approved by System Administrator.
26level: high
References
Related rules
- AWS Suspicious SAML Activity
- Logon from a Risky IP Address
- Microsoft 365 - Impossible Travel Activity
- Azure AD Threat Intelligence
- Activity From Anonymous IP Address