Detectionhightest

User Added To Privilege Role

Detects when a user is added to a privileged role.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Mark Morowczynski, Yochana HendersonCreated Sat Aug 0649a268a4-72f4-4e38-8a7b-885be690c5b5cloud

Log Source

Azureauditlogs

ProductAzure← raw: azure

Serviceauditlogs← raw: auditlogs

Detection Logic

detection:
    selection:
        properties.message:
            - Add eligible member (permanent)
            - Add eligible member (eligible)
    condition: selection

False Positives

Legtimate administrator actions of adding members from a role

References

Resolving title…

learn.microsoft.com

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0001 · Initial Access TA0004 · Privilege Escalation TA0005 · Defense Evasion

Sub-techniques

T1078.004 · Cloud Accounts

Rule Metadata

Rule ID

49a268a4-72f4-4e38-8a7b-885be690c5b5

Status

test

Level

high

Type

Detection

Created

Sat Aug 06

Author

Mark Morowczynski, Yochana Henderson

Path

rules/cloud/azure/audit_logs/azure_priviledged_role_assignment_add.yml

Raw Tags

attack.persistenceattack.initial-accessattack.privilege-escalationattack.defense-evasionattack.t1078.004

View on GitHub