Privileged Account Permissions Changed
| Id | 0433c8a3-9aa6-4577-beef-2ea23be41137 |
| Rulename | Privileged Account Permissions Changed |
| Description | Detects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts. Review any modifications to ensure they were made legitimately. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts |
| Severity | Medium |
| Tactics | PrivilegeEscalation |
| Techniques | T1078.004 |
| Required data connectors | AzureActiveDirectory BehaviorAnalytics |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 2d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Business Email Compromise - Financial Fraud/Analytic Rules/PrivilegedAccountPermissionsChanged.yaml |
| Version | 1.0.7 |
| Arm template | 0433c8a3-9aa6-4577-beef-2ea23be41137.json |
let admin_users = (IdentityInfo
| where TimeGenerated > ago(2d)
| summarize arg_max(TimeGenerated, *) by AccountUPN
| where AssignedRoles contains "admin" or GroupMembership has "Admin"
| summarize by tolower(AccountUPN));
AuditLogs
| where Category =~ "RoleManagement"
| where OperationName has "Add eligible member"
| extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)
| where tolower(TargetUserPrincipalName) in (admin_users)
| extend TargetAadUserId = tostring(TargetResources[0].id)
| extend Group = tostring(TargetResources[0].displayName)
| extend RoleAddedTo = iif(isnotempty(TargetUserPrincipalName), TargetUserPrincipalName, Group)
| extend mod_props = TargetResources[0].modifiedProperties
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend RoleAddedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)
| mv-expand mod_props
| where mod_props.displayName == "Role.DisplayName"
| extend UserAgent = tostring(AdditionalDetails[0].value)
| extend RoleAdded = tostring(parse_json(tostring(mod_props.newValue)))
| extend TargetAccountName = tostring(split(TargetUserPrincipalName, "@")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, "@")[1])
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
| project-reorder TimeGenerated, OperationName, TargetUserPrincipalName, RoleAddedTo, RoleAdded, RoleAddedBy, InitiatingUserPrincipalName, InitiatingAppName
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Business Email Compromise - Financial Fraud/Analytic Rules/PrivilegedAccountPermissionsChanged.yaml
query: |
let admin_users = (IdentityInfo
| where TimeGenerated > ago(2d)
| summarize arg_max(TimeGenerated, *) by AccountUPN
| where AssignedRoles contains "admin" or GroupMembership has "Admin"
| summarize by tolower(AccountUPN));
AuditLogs
| where Category =~ "RoleManagement"
| where OperationName has "Add eligible member"
| extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)
| where tolower(TargetUserPrincipalName) in (admin_users)
| extend TargetAadUserId = tostring(TargetResources[0].id)
| extend Group = tostring(TargetResources[0].displayName)
| extend RoleAddedTo = iif(isnotempty(TargetUserPrincipalName), TargetUserPrincipalName, Group)
| extend mod_props = TargetResources[0].modifiedProperties
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend RoleAddedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)
| mv-expand mod_props
| where mod_props.displayName == "Role.DisplayName"
| extend UserAgent = tostring(AdditionalDetails[0].value)
| extend RoleAdded = tostring(parse_json(tostring(mod_props.newValue)))
| extend TargetAccountName = tostring(split(TargetUserPrincipalName, "@")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, "@")[1])
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
| project-reorder TimeGenerated, OperationName, TargetUserPrincipalName, RoleAddedTo, RoleAdded, RoleAddedBy, InitiatingUserPrincipalName, InitiatingAppName
description: |
'Detects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts.
Review any modifications to ensure they were made legitimately.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts'
severity: Medium
requiredDataConnectors:
- dataTypes:
- AuditLogs
connectorId: AzureActiveDirectory
- dataTypes:
- IdentityInfo
connectorId: BehaviorAnalytics
tags:
- AADSecOpsGuide
triggerThreshold: 0
entityMappings:
- entityType: Account
fieldMappings:
- columnName: TargetUserPrincipalName
identifier: FullName
- columnName: TargetAccountName
identifier: Name
- columnName: TargetAccountUPNSuffix
identifier: UPNSuffix
- entityType: Account
fieldMappings:
- columnName: TargetAadUserId
identifier: AadUserId
- entityType: Account
fieldMappings:
- columnName: InitiatingUserPrincipalName
identifier: FullName
- columnName: InitiatingAccountName
identifier: Name
- columnName: InitiatingAccountUPNSuffix
identifier: UPNSuffix
- entityType: Account
fieldMappings:
- columnName: InitiatingAadUserId
identifier: AadUserId
tactics:
- PrivilegeEscalation
version: 1.0.7
relevantTechniques:
- T1078.004
triggerOperator: gt
name: Privileged Account Permissions Changed
id: 0433c8a3-9aa6-4577-beef-2ea23be41137
kind: Scheduled
queryFrequency: 1d
queryPeriod: 2d
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0433c8a3-9aa6-4577-beef-2ea23be41137')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0433c8a3-9aa6-4577-beef-2ea23be41137')]",
"properties": {
"alertRuleTemplateName": "0433c8a3-9aa6-4577-beef-2ea23be41137",
"customDetails": null,
"description": "'Detects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts.\nReview any modifications to ensure they were made legitimately.\nRef: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts'\n",
"displayName": "Privileged Account Permissions Changed",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "TargetUserPrincipalName",
"identifier": "FullName"
},
{
"columnName": "TargetAccountName",
"identifier": "Name"
},
{
"columnName": "TargetAccountUPNSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "TargetAadUserId",
"identifier": "AadUserId"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "InitiatingUserPrincipalName",
"identifier": "FullName"
},
{
"columnName": "InitiatingAccountName",
"identifier": "Name"
},
{
"columnName": "InitiatingAccountUPNSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "InitiatingAadUserId",
"identifier": "AadUserId"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Business Email Compromise - Financial Fraud/Analytic Rules/PrivilegedAccountPermissionsChanged.yaml",
"query": "let admin_users = (IdentityInfo\n | where TimeGenerated > ago(2d)\n | summarize arg_max(TimeGenerated, *) by AccountUPN\n | where AssignedRoles contains \"admin\" or GroupMembership has \"Admin\"\n | summarize by tolower(AccountUPN));\n AuditLogs\n | where Category =~ \"RoleManagement\"\n | where OperationName has \"Add eligible member\"\n | extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\n | where tolower(TargetUserPrincipalName) in (admin_users)\n | extend TargetAadUserId = tostring(TargetResources[0].id)\n | extend Group = tostring(TargetResources[0].displayName)\n | extend RoleAddedTo = iif(isnotempty(TargetUserPrincipalName), TargetUserPrincipalName, Group)\n | extend mod_props = TargetResources[0].modifiedProperties\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\n | extend RoleAddedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)\n | mv-expand mod_props\n | where mod_props.displayName == \"Role.DisplayName\"\n | extend UserAgent = tostring(AdditionalDetails[0].value)\n | extend RoleAdded = tostring(parse_json(tostring(mod_props.newValue)))\n | extend TargetAccountName = tostring(split(TargetUserPrincipalName, \"@\")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, \"@\")[1])\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \"@\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \"@\")[1])\n | project-reorder TimeGenerated, OperationName, TargetUserPrincipalName, RoleAddedTo, RoleAdded, RoleAddedBy, InitiatingUserPrincipalName, InitiatingAppName\n",
"queryFrequency": "P1D",
"queryPeriod": "P2D",
"severity": "Medium",
"subTechniques": [
"T1078.004"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"PrivilegeEscalation"
],
"tags": [
"AADSecOpsGuide"
],
"techniques": [
"T1078"
],
"templateVersion": "1.0.7",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}