Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Privileged Account Permissions Changed

Back
Id0433c8a3-9aa6-4577-beef-2ea23be41137
RulenamePrivileged Account Permissions Changed
DescriptionDetects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts.

Review any modifications to ensure they were made legitimately.

Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts
SeverityMedium
TacticsPrivilegeEscalation
TechniquesT1078.004
Required data connectorsAzureActiveDirectory
BehaviorAnalytics
KindScheduled
Query frequency1d
Query period2d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Business Email Compromise - Financial Fraud/Analytic Rules/PrivilegedAccountPermissionsChanged.yaml
Version1.0.1
Arm template0433c8a3-9aa6-4577-beef-2ea23be41137.json
Deploy To Azure
let admin_users = (IdentityInfo
  | where TimeGenerated > ago(2d)
  | summarize arg_max(TimeGenerated, *) by AccountUPN
  | where AssignedRoles contains "admin"
  | summarize by tolower(AccountUPN));
  AuditLogs
  | where Category =~ "RoleManagement"
  | where OperationName has "Add eligible member"
  | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)
  | where tolower(userPrincipalName) in (admin_users)
  | extend Group = tostring(TargetResources[0].displayName)
  | extend AddedTo = iif(isnotempty(userPrincipalName), userPrincipalName, Group)
  | extend mod_props = TargetResources[0].modifiedProperties
  | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)
  | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
  | extend AddedBy = iif(isnotempty(appName), appName, UPN)
  | mv-expand mod_props
  | where mod_props.displayName == "Role.DisplayName"
  | extend RoleAdded = tostring(parse_json(tostring(mod_props.newValue)))
  | project-reorder TimeGenerated, OperationName, AddedTo, RoleAdded, AddedBy
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - AuditLogs
- connectorId: BehaviorAnalytics
  dataTypes:
  - BehaviorAnalytics
triggerOperator: gt
queryFrequency: 1d
name: Privileged Account Permissions Changed
tags:
- AADSecOpsGuide
queryPeriod: 2d
id: 0433c8a3-9aa6-4577-beef-2ea23be41137
description: |
  'Detects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts.
  Review any modifications to ensure they were made legitimately.
  Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts'  
severity: Medium
query: |
  let admin_users = (IdentityInfo
    | where TimeGenerated > ago(2d)
    | summarize arg_max(TimeGenerated, *) by AccountUPN
    | where AssignedRoles contains "admin"
    | summarize by tolower(AccountUPN));
    AuditLogs
    | where Category =~ "RoleManagement"
    | where OperationName has "Add eligible member"
    | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)
    | where tolower(userPrincipalName) in (admin_users)
    | extend Group = tostring(TargetResources[0].displayName)
    | extend AddedTo = iif(isnotempty(userPrincipalName), userPrincipalName, Group)
    | extend mod_props = TargetResources[0].modifiedProperties
    | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)
    | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
    | extend AddedBy = iif(isnotempty(appName), appName, UPN)
    | mv-expand mod_props
    | where mod_props.displayName == "Role.DisplayName"
    | extend RoleAdded = tostring(parse_json(tostring(mod_props.newValue)))
    | project-reorder TimeGenerated, OperationName, AddedTo, RoleAdded, AddedBy  
version: 1.0.1
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Business Email Compromise - Financial Fraud/Analytic Rules/PrivilegedAccountPermissionsChanged.yaml
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: userPrincipalName
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AddedBy
relevantTechniques:
- T1078.004
tactics:
- PrivilegeEscalation
triggerThreshold: 0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0433c8a3-9aa6-4577-beef-2ea23be41137')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0433c8a3-9aa6-4577-beef-2ea23be41137')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Privileged Account Permissions Changed",
        "description": "'Detects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts.\nReview any modifications to ensure they were made legitimately.\nRef: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let admin_users = (IdentityInfo\n  | where TimeGenerated > ago(2d)\n  | summarize arg_max(TimeGenerated, *) by AccountUPN\n  | where AssignedRoles contains \"admin\"\n  | summarize by tolower(AccountUPN));\n  AuditLogs\n  | where Category =~ \"RoleManagement\"\n  | where OperationName has \"Add eligible member\"\n  | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)\n  | where tolower(userPrincipalName) in (admin_users)\n  | extend Group = tostring(TargetResources[0].displayName)\n  | extend AddedTo = iif(isnotempty(userPrincipalName), userPrincipalName, Group)\n  | extend mod_props = TargetResources[0].modifiedProperties\n  | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\n  | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n  | extend AddedBy = iif(isnotempty(appName), appName, UPN)\n  | mv-expand mod_props\n  | where mod_props.displayName == \"Role.DisplayName\"\n  | extend RoleAdded = tostring(parse_json(tostring(mod_props.newValue)))\n  | project-reorder TimeGenerated, OperationName, AddedTo, RoleAdded, AddedBy\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P2D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078.004"
        ],
        "alertRuleTemplateName": "0433c8a3-9aa6-4577-beef-2ea23be41137",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "userPrincipalName"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AddedBy"
              }
            ],
            "entityType": "Account"
          }
        ],
        "tags": [
          "AADSecOpsGuide"
        ],
        "templateVersion": "1.0.1",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Business Email Compromise - Financial Fraud/Analytic Rules/PrivilegedAccountPermissionsChanged.yaml"
      }
    }
  ]
}