Privileged Account Permissions Changed
| Id | 0433c8a3-9aa6-4577-beef-2ea23be41137 |
| Rulename | Privileged Account Permissions Changed |
| Description | Detects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts. Review any modifications to ensure they were made legitimately. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts |
| Severity | Medium |
| Tactics | PrivilegeEscalation |
| Techniques | T1078.004 |
| Required data connectors | AzureActiveDirectory BehaviorAnalytics |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 2d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Business Email Compromise - Financial Fraud/Analytic Rules/PrivilegedAccountPermissionsChanged.yaml |
| Version | 1.0.1 |
| Arm template | 0433c8a3-9aa6-4577-beef-2ea23be41137.json |
let admin_users = (IdentityInfo
| where TimeGenerated > ago(2d)
| summarize arg_max(TimeGenerated, *) by AccountUPN
| where AssignedRoles contains "admin"
| summarize by tolower(AccountUPN));
AuditLogs
| where Category =~ "RoleManagement"
| where OperationName has "Add eligible member"
| extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)
| where tolower(userPrincipalName) in (admin_users)
| extend Group = tostring(TargetResources[0].displayName)
| extend AddedTo = iif(isnotempty(userPrincipalName), userPrincipalName, Group)
| extend mod_props = TargetResources[0].modifiedProperties
| extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)
| extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend AddedBy = iif(isnotempty(appName), appName, UPN)
| mv-expand mod_props
| where mod_props.displayName == "Role.DisplayName"
| extend RoleAdded = tostring(parse_json(tostring(mod_props.newValue)))
| project-reorder TimeGenerated, OperationName, AddedTo, RoleAdded, AddedBy
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
- connectorId: BehaviorAnalytics
dataTypes:
- BehaviorAnalytics
triggerOperator: gt
queryFrequency: 1d
name: Privileged Account Permissions Changed
tags:
- AADSecOpsGuide
queryPeriod: 2d
id: 0433c8a3-9aa6-4577-beef-2ea23be41137
description: |
'Detects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts.
Review any modifications to ensure they were made legitimately.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts'
severity: Medium
query: |
let admin_users = (IdentityInfo
| where TimeGenerated > ago(2d)
| summarize arg_max(TimeGenerated, *) by AccountUPN
| where AssignedRoles contains "admin"
| summarize by tolower(AccountUPN));
AuditLogs
| where Category =~ "RoleManagement"
| where OperationName has "Add eligible member"
| extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)
| where tolower(userPrincipalName) in (admin_users)
| extend Group = tostring(TargetResources[0].displayName)
| extend AddedTo = iif(isnotempty(userPrincipalName), userPrincipalName, Group)
| extend mod_props = TargetResources[0].modifiedProperties
| extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)
| extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend AddedBy = iif(isnotempty(appName), appName, UPN)
| mv-expand mod_props
| where mod_props.displayName == "Role.DisplayName"
| extend RoleAdded = tostring(parse_json(tostring(mod_props.newValue)))
| project-reorder TimeGenerated, OperationName, AddedTo, RoleAdded, AddedBy
version: 1.0.1
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Business Email Compromise - Financial Fraud/Analytic Rules/PrivilegedAccountPermissionsChanged.yaml
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: userPrincipalName
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AddedBy
relevantTechniques:
- T1078.004
tactics:
- PrivilegeEscalation
triggerThreshold: 0
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0433c8a3-9aa6-4577-beef-2ea23be41137')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0433c8a3-9aa6-4577-beef-2ea23be41137')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "Privileged Account Permissions Changed",
"description": "'Detects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts.\nReview any modifications to ensure they were made legitimately.\nRef: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts'\n",
"severity": "Medium",
"enabled": true,
"query": "let admin_users = (IdentityInfo\n | where TimeGenerated > ago(2d)\n | summarize arg_max(TimeGenerated, *) by AccountUPN\n | where AssignedRoles contains \"admin\"\n | summarize by tolower(AccountUPN));\n AuditLogs\n | where Category =~ \"RoleManagement\"\n | where OperationName has \"Add eligible member\"\n | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)\n | where tolower(userPrincipalName) in (admin_users)\n | extend Group = tostring(TargetResources[0].displayName)\n | extend AddedTo = iif(isnotempty(userPrincipalName), userPrincipalName, Group)\n | extend mod_props = TargetResources[0].modifiedProperties\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend AddedBy = iif(isnotempty(appName), appName, UPN)\n | mv-expand mod_props\n | where mod_props.displayName == \"Role.DisplayName\"\n | extend RoleAdded = tostring(parse_json(tostring(mod_props.newValue)))\n | project-reorder TimeGenerated, OperationName, AddedTo, RoleAdded, AddedBy\n",
"queryFrequency": "P1D",
"queryPeriod": "P2D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"PrivilegeEscalation"
],
"techniques": [
"T1078.004"
],
"alertRuleTemplateName": "0433c8a3-9aa6-4577-beef-2ea23be41137",
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "userPrincipalName"
}
],
"entityType": "Account"
},
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AddedBy"
}
],
"entityType": "Account"
}
],
"tags": [
"AADSecOpsGuide"
],
"templateVersion": "1.0.1",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Business Email Compromise - Financial Fraud/Analytic Rules/PrivilegedAccountPermissionsChanged.yaml"
}
}
]
}