Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Privileged Account Permissions Changed

Back
Id0433c8a3-9aa6-4577-beef-2ea23be41137
RulenamePrivileged Account Permissions Changed
DescriptionDetects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts.

Review any modifications to ensure they were made legitimately.

Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts
SeverityMedium
TacticsPrivilegeEscalation
TechniquesT1078.004
Required data connectorsAzureActiveDirectory
BehaviorAnalytics
KindScheduled
Query frequency1d
Query period2d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/PrivilegedAccountPermissionsChanged.yaml
Version1.0.1
Arm template0433c8a3-9aa6-4577-beef-2ea23be41137.json
Deploy To Azure
let admin_users = (IdentityInfo
  | where TimeGenerated > ago(2d)
  | summarize arg_max(TimeGenerated, *) by AccountUPN
  | where AssignedRoles contains "admin"
  | summarize by tolower(AccountUPN));
  AuditLogs
  | where Category =~ "RoleManagement"
  | where OperationName has "Add eligible member"
  | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)
  | where tolower(userPrincipalName) in (admin_users)
  | extend Group = tostring(TargetResources[0].displayName)
  | extend AddedTo = iif(isnotempty(userPrincipalName), userPrincipalName, Group)
  | extend mod_props = TargetResources[0].modifiedProperties
  | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)
  | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
  | extend AddedBy = iif(isnotempty(appName), appName, UPN)
  | mv-expand mod_props
  | where mod_props.displayName == "Role.DisplayName"
  | extend RoleAdded = tostring(parse_json(tostring(mod_props.newValue)))
  | project-reorder TimeGenerated, OperationName, AddedTo, RoleAdded, AddedBy
queryFrequency: 1d
metadata:
  author:
    name: Pete Bryan
  source:
    kind: Community
  categories:
    domains:
    - Security - Others
    - Identity
  support:
    tier: Community
triggerOperator: gt
tactics:
- PrivilegeEscalation
description: |
  'Detects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts.
  Review any modifications to ensure they were made legitimately.
  Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts'  
relevantTechniques:
- T1078.004
name: Privileged Account Permissions Changed
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/PrivilegedAccountPermissionsChanged.yaml
severity: Medium
triggerThreshold: 0
version: 1.0.1
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: userPrincipalName
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AddedBy
tags:
- AADSecOpsGuide
id: 0433c8a3-9aa6-4577-beef-2ea23be41137
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - AuditLogs
- connectorId: BehaviorAnalytics
  dataTypes:
  - BehaviorAnalytics
kind: Scheduled
query: |
  let admin_users = (IdentityInfo
    | where TimeGenerated > ago(2d)
    | summarize arg_max(TimeGenerated, *) by AccountUPN
    | where AssignedRoles contains "admin"
    | summarize by tolower(AccountUPN));
    AuditLogs
    | where Category =~ "RoleManagement"
    | where OperationName has "Add eligible member"
    | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)
    | where tolower(userPrincipalName) in (admin_users)
    | extend Group = tostring(TargetResources[0].displayName)
    | extend AddedTo = iif(isnotempty(userPrincipalName), userPrincipalName, Group)
    | extend mod_props = TargetResources[0].modifiedProperties
    | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)
    | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
    | extend AddedBy = iif(isnotempty(appName), appName, UPN)
    | mv-expand mod_props
    | where mod_props.displayName == "Role.DisplayName"
    | extend RoleAdded = tostring(parse_json(tostring(mod_props.newValue)))
    | project-reorder TimeGenerated, OperationName, AddedTo, RoleAdded, AddedBy  
queryPeriod: 2d
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0433c8a3-9aa6-4577-beef-2ea23be41137')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0433c8a3-9aa6-4577-beef-2ea23be41137')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Privileged Account Permissions Changed",
        "description": "'Detects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts.\nReview any modifications to ensure they were made legitimately.\nRef: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let admin_users = (IdentityInfo\n  | where TimeGenerated > ago(2d)\n  | summarize arg_max(TimeGenerated, *) by AccountUPN\n  | where AssignedRoles contains \"admin\"\n  | summarize by tolower(AccountUPN));\n  AuditLogs\n  | where Category =~ \"RoleManagement\"\n  | where OperationName has \"Add eligible member\"\n  | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)\n  | where tolower(userPrincipalName) in (admin_users)\n  | extend Group = tostring(TargetResources[0].displayName)\n  | extend AddedTo = iif(isnotempty(userPrincipalName), userPrincipalName, Group)\n  | extend mod_props = TargetResources[0].modifiedProperties\n  | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\n  | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n  | extend AddedBy = iif(isnotempty(appName), appName, UPN)\n  | mv-expand mod_props\n  | where mod_props.displayName == \"Role.DisplayName\"\n  | extend RoleAdded = tostring(parse_json(tostring(mod_props.newValue)))\n  | project-reorder TimeGenerated, OperationName, AddedTo, RoleAdded, AddedBy\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P2D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078.004"
        ],
        "alertRuleTemplateName": "0433c8a3-9aa6-4577-beef-2ea23be41137",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "userPrincipalName"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AddedBy"
              }
            ]
          }
        ],
        "templateVersion": "1.0.1",
        "tags": [
          "AADSecOpsGuide"
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/PrivilegedAccountPermissionsChanged.yaml"
      }
    }
  ]
}