Detectionhightest

Bulk Deletion Changes To Privileged Account Permissions

Detects when a user is removed from a privileged role. Bulk changes should be investigated.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Mark Morowczynski, Yochana HendersonCreated Fri Aug 05102e11e3-2db5-4c9e-bc26-357d42585d21cloud

Log Source

Azureauditlogs

ProductAzure← raw: azure

Serviceauditlogs← raw: auditlogs

Detection Logic

detection:
    selection:
        properties.message:
            - Remove eligible member (permanent)
            - Remove eligible member (eligible)
    condition: selection

False Positives

Legtimate administrator actions of removing members from a role

References

Resolving title…

learn.microsoft.com

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0003 · Persistence

Techniques

T1098 · Account Manipulation

Rule Metadata

Rule ID

102e11e3-2db5-4c9e-bc26-357d42585d21

Status

test

Level

high

Type

Detection

Created

Fri Aug 05

Author

Mark Morowczynski, Yochana Henderson

Path

rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_bulk_change.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.t1098

View on GitHub