// Name: Granting permissions to account - detection variant
//
// Id: b2c15736-b9eb-4dae-8b02-3016b6a45a32
//
// Description: looks for IPs from which users grant access to others on azure resources. A new
// source IP address for such activity results in an alert being generated.
//
// DataSource: #AzureActivity
//
// Severity: Medium
//
// QueryFrequency: 24
//
// QueryPeriod: 24
//
// AlertTriggerOperator: gt
//
// AlertTriggerThreshold: 0
//
// Tactics: #Persistence,#Privilege Escalation
//
let createRoleAssignmentActivity = AzureActivity
| where OperationName == "Create role assignment"
| where ActivityStatus == "Succeeded"
| project TimeGenerated, EventSubmissionTimestamp, Caller, CallerIpAddress, SubscriptionId, ResourceId;
// The number of operations below which an IP address is considered an unusual source of role assignment operations
let alertOperationThreshold = 5;
createRoleAssignmentActivity
| where TimeGenerated >= ago(30d)
| summarize count() by CallerIpAddress
| where count_ <= alertOperationThreshold
| join kind = rightsemi ( createRoleAssignmentActivity
| where TimeGenerated >= ago(1d)
) on CallerIpAddresscloudflare/Azure-Sentinel
Publicmirrored fromhttps://github.com/cloudflare/Azure-Sentinel
Detections/AzureActivity/Granting_Permissions_To_Account_detection.txt
34lines · modepreview
7 years ago