Detectionmediumtest

User Added To Group With CA Policy Modification Access

Monitor and alert on group membership additions of groups that have CA policy modification access

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Mark Morowczynski, Thomas DetznerCreated Thu Aug 0491c95675-1f27-46d0-bead-d1ae96b97cd3cloud

Log Source

Azureauditlogs

ProductAzure← raw: azure

Serviceauditlogs← raw: auditlogs

Detection Logic

detection:
    selection:
        properties.message: Add member from group
    condition: selection

False Positives

User removed from the group is approved

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

91c95675-1f27-46d0-bead-d1ae96b97cd3

Status

test

Level

medium

Type

Detection

Created

Thu Aug 04

Author

Path

rules/cloud/azure/audit_logs/azure_group_user_addition_ca_modification.yml

Raw Tags

attack.privilege-escalationattack.credential-accessattack.defense-evasionattack.persistenceattack.t1548attack.t1556