Privileged Account Permissions Changed
| Id | 0433c8a3-9aa6-4577-beef-2ea23be41137 |
| Rulename | Privileged Account Permissions Changed |
| Description | Detects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts. Review any modifications to ensure they were made legitimately. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts |
| Severity | Medium |
| Tactics | PrivilegeEscalation |
| Techniques | T1078.004 |
| Required data connectors | AzureActiveDirectory BehaviorAnalytics |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 2d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/PrivilegedAccountPermissionsChanged.yaml |
| Version | 1.0.1 |
| Arm template | 0433c8a3-9aa6-4577-beef-2ea23be41137.json |
let admin_users = (IdentityInfo
| where TimeGenerated > ago(2d)
| summarize arg_max(TimeGenerated, *) by AccountUPN
| where AssignedRoles contains "admin"
| summarize by tolower(AccountUPN));
AuditLogs
| where Category =~ "RoleManagement"
| where OperationName has "Add eligible member"
| extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)
| where tolower(userPrincipalName) in (admin_users)
| extend Group = tostring(TargetResources[0].displayName)
| extend AddedTo = iif(isnotempty(userPrincipalName), userPrincipalName, Group)
| extend mod_props = TargetResources[0].modifiedProperties
| extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)
| extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend AddedBy = iif(isnotempty(appName), appName, UPN)
| mv-expand mod_props
| where mod_props.displayName == "Role.DisplayName"
| extend RoleAdded = tostring(parse_json(tostring(mod_props.newValue)))
| project-reorder TimeGenerated, OperationName, AddedTo, RoleAdded, AddedBy
queryFrequency: 1d
metadata:
author:
name: Pete Bryan
source:
kind: Community
categories:
domains:
- Security - Others
- Identity
support:
tier: Community
triggerOperator: gt
tactics:
- PrivilegeEscalation
description: |
'Detects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts.
Review any modifications to ensure they were made legitimately.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts'
relevantTechniques:
- T1078.004
name: Privileged Account Permissions Changed
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/PrivilegedAccountPermissionsChanged.yaml
severity: Medium
triggerThreshold: 0
version: 1.0.1
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: userPrincipalName
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AddedBy
tags:
- AADSecOpsGuide
id: 0433c8a3-9aa6-4577-beef-2ea23be41137
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
- connectorId: BehaviorAnalytics
dataTypes:
- BehaviorAnalytics
kind: Scheduled
query: |
let admin_users = (IdentityInfo
| where TimeGenerated > ago(2d)
| summarize arg_max(TimeGenerated, *) by AccountUPN
| where AssignedRoles contains "admin"
| summarize by tolower(AccountUPN));
AuditLogs
| where Category =~ "RoleManagement"
| where OperationName has "Add eligible member"
| extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)
| where tolower(userPrincipalName) in (admin_users)
| extend Group = tostring(TargetResources[0].displayName)
| extend AddedTo = iif(isnotempty(userPrincipalName), userPrincipalName, Group)
| extend mod_props = TargetResources[0].modifiedProperties
| extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)
| extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend AddedBy = iif(isnotempty(appName), appName, UPN)
| mv-expand mod_props
| where mod_props.displayName == "Role.DisplayName"
| extend RoleAdded = tostring(parse_json(tostring(mod_props.newValue)))
| project-reorder TimeGenerated, OperationName, AddedTo, RoleAdded, AddedBy
queryPeriod: 2d
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0433c8a3-9aa6-4577-beef-2ea23be41137')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0433c8a3-9aa6-4577-beef-2ea23be41137')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Privileged Account Permissions Changed",
"description": "'Detects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts.\nReview any modifications to ensure they were made legitimately.\nRef: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts'\n",
"severity": "Medium",
"enabled": true,
"query": "let admin_users = (IdentityInfo\n | where TimeGenerated > ago(2d)\n | summarize arg_max(TimeGenerated, *) by AccountUPN\n | where AssignedRoles contains \"admin\"\n | summarize by tolower(AccountUPN));\n AuditLogs\n | where Category =~ \"RoleManagement\"\n | where OperationName has \"Add eligible member\"\n | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)\n | where tolower(userPrincipalName) in (admin_users)\n | extend Group = tostring(TargetResources[0].displayName)\n | extend AddedTo = iif(isnotempty(userPrincipalName), userPrincipalName, Group)\n | extend mod_props = TargetResources[0].modifiedProperties\n | extend appName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\n | extend UPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend AddedBy = iif(isnotempty(appName), appName, UPN)\n | mv-expand mod_props\n | where mod_props.displayName == \"Role.DisplayName\"\n | extend RoleAdded = tostring(parse_json(tostring(mod_props.newValue)))\n | project-reorder TimeGenerated, OperationName, AddedTo, RoleAdded, AddedBy\n",
"queryFrequency": "P1D",
"queryPeriod": "P2D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"PrivilegeEscalation"
],
"techniques": [
"T1078.004"
],
"alertRuleTemplateName": "0433c8a3-9aa6-4577-beef-2ea23be41137",
"customDetails": null,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "userPrincipalName"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AddedBy"
}
]
}
],
"templateVersion": "1.0.1",
"tags": [
"AADSecOpsGuide"
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/PrivilegedAccountPermissionsChanged.yaml"
}
}
]
}