cloudflare/Azure-Sentinel
Publicmirrored fromhttps://github.com/cloudflare/Azure-Sentinel
Detections/AuditLogs/AccountElevatedtoNewRole.yaml
51lines · modecode
unknown
| 1 | id: c1c66f0b-5531-4a3e-a619-9d2f770ef730 |
| 2 | name: Account Elevated to New Role |
| 3 | description: | |
| 4 | 'Detects an account that is elevated to a new role where that account has not had that role in the last 14 days. |
| 5 | Role elevations are a key mechanism for gaining permissions, monitoring which users have which roles, and for anomalies in those roles is useful for finding suspicious activity. |
| 6 | Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts' |
| 7 | severity: Medium |
| 8 | requiredDataConnectors: |
| 9 | - connectorId: AzureActiveDirectory |
| 10 | dataTypes: |
| 11 | - AuditLogs |
| 12 | queryFrequency: 1d |
| 13 | queryPeriod: 14d |
| 14 | triggerOperator: gt |
| 15 | triggerThreshold: 0 |
| 16 | tactics: |
| 17 | - Persistence |
| 18 | relevantTechniques: |
| 19 | - T1078.004 |
| 20 | tags: |
| 21 | - AADSecOpsGuide |
| 22 | query: | |
| 23 | AuditLogs |
| 24 | | where TimeGenerated between(ago(14d)..ago(1d)) |
| 25 | | where OperationName =~ "Add member to role completed (PIM activation)" |
| 26 | | where Result =~ "success" |
| 27 | | extend ElevatedUser = tostring(TargetResources[2].userPrincipalName) |
| 28 | | extend displayName = tostring(TargetResources[0].displayName) |
| 29 | | extend displayName2 = tostring(TargetResources[3].displayName) |
| 30 | | extend ElevatedRole = iif(displayName =~ "Member", displayName2, displayName) |
| 31 | | join kind = rightanti (AuditLogs |
| 32 | | where TimeGenerated > ago(1d) |
| 33 | | where OperationName =~ "Add member to role completed (PIM activation)" |
| 34 | | where Result =~ "success" |
| 35 | | extend ElevatedUser = tostring(TargetResources[2].userPrincipalName) |
| 36 | | extend displayName = tostring(TargetResources[0].displayName) |
| 37 | | extend displayName2 = tostring(TargetResources[3].displayName) |
| 38 | | extend ElevatedRole = iif(displayName =~ "Member", displayName2, displayName) |
| 39 | | extend ElevatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) on ElevatedRole, ElevatedUser |
| 40 | | project-reorder ElevatedUser, ElevatedRole, ResultReason,ElevatedBy |
| 41 | entityMappings: |
| 42 | - entityType: Account |
| 43 | fieldMappings: |
| 44 | - identifier: FullName |
| 45 | columnName: ElevatedUser |
| 46 | - entityType: Account |
| 47 | fieldMappings: |
| 48 | - identifier: FullName |
| 49 | columnName: ElevatedBy |
| 50 | version: 1.0.0 |
| 51 | kind: Scheduled |