New User Assigned to Privileged Role

Back


Id	050b9b3d-53d0-4364-a3da-1b678b8211ec
Rulename	New User Assigned to Privileged Role
Description	Identifies when a privileged role is assigned to a new user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn’t the responsibility of the account holder, investigate.
Severity	High
Tactics	Persistence
Techniques	T1078.004
Required data connectors	AzureActiveDirectory
Kind	Scheduled
Query frequency	1h
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/UserAssignedPrivilegedRole.yaml
Version	1.1.1
Arm template	050b9b3d-53d0-4364-a3da-1b678b8211ec.json

KQL

// Define the start and end times based on input values
let starttime = now()-1h;
let endtime = now();
// Set a lookback period of 14 days
let lookback = starttime - 14d;
// Define a reusable function to query audit logs
let awsFunc = (start:datetime, end:datetime) {
  AuditLogs
  | where TimeGenerated between (start..end)
  | where Category =~ "RoleManagement"
  | where AADOperationType in ("Assign", "AssignEligibleRole")
  | where ActivityDisplayName has_any ("Add eligible member to role", "Add member to role")
  | mv-apply TargetResource = TargetResources on
    (
      where TargetResource.type in~ ("User", "ServicePrincipal")
      | extend Target = iff(TargetResource.type =~ "ServicePrincipal", tostring(TargetResource.displayName), tostring(TargetResource.userPrincipalName)),
      props = TargetResource.modifiedProperties
    )
  | mv-apply Property = props on
    (
      where Property.displayName =~ "Role.DisplayName"
      | extend RoleName = trim('"', tostring(Property.newValue))
    )
  | where RoleName contains "Admin" and Result == "success"
};
// Query for audit events in the current day
let EventInfo_CurrentDay = awsFunc(starttime, endtime);
// Query for audit events in the historical period (lookback)
let EventInfo_historical = awsFunc(lookback, starttime);
// Find unseen events by performing a left anti-join
let EventInfo_Unseen = (EventInfo_CurrentDay
  | join kind=leftanti(EventInfo_historical) on Target, RoleName, OperationName
);
// Extend and clean up the results
EventInfo_Unseen
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))
| extend Initiator = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)
// You can uncomment the lines below to filter out PIM activations
// | where Initiator != "MS-PIM" and Initiator != "MS-PIM-Fairfax"
// | summarize StartTime=min(TimeGenerated), EndTime=min(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result
// Project specific columns and split them for further analysis
| project TimeGenerated, OperationName, RoleName, Target, Initiator, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, Result
| extend TargetName = tostring(split(Target,'@',0)[0]), TargetUPNSuffix = tostring(split(Target,'@',1)[0]), InitiatorName = tostring(split(InitiatingUserPrincipalName,'@',0)[0]), InitiatorUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@',1)[0])

YAML

kind: Scheduled
name: New User Assigned to Privileged Role
status: Available
severity: High
queryFrequency: 1h
description: |
    Identifies when a privileged role is assigned to a new user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate.
tags:
- AADSecOpsGuide
queryPeriod: 14d
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: Target
    identifier: FullName
  - columnName: TargetName
    identifier: Name
  - columnName: TargetUPNSuffix
    identifier: UPNSuffix
- entityType: Account
  fieldMappings:
  - columnName: InitiatingUserPrincipalName
    identifier: FullName
  - columnName: InitiatorName
    identifier: Name
  - columnName: InitiatorUPNSuffix
    identifier: UPNSuffix
- entityType: Account
  fieldMappings:
  - columnName: InitiatingAadUserId
    identifier: AadUserId
- entityType: Account
  fieldMappings:
  - columnName: InitiatingAppServicePrincipalId
    identifier: AadUserId
- entityType: IP
  fieldMappings:
  - columnName: InitiatingIpAddress
    identifier: Address
id: 050b9b3d-53d0-4364-a3da-1b678b8211ec
tactics:
- Persistence
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/UserAssignedPrivilegedRole.yaml
relevantTechniques:
- T1078.004
query: |
  // Define the start and end times based on input values
  let starttime = now()-1h;
  let endtime = now();
  // Set a lookback period of 14 days
  let lookback = starttime - 14d;
  // Define a reusable function to query audit logs
  let awsFunc = (start:datetime, end:datetime) {
    AuditLogs
    | where TimeGenerated between (start..end)
    | where Category =~ "RoleManagement"
    | where AADOperationType in ("Assign", "AssignEligibleRole")
    | where ActivityDisplayName has_any ("Add eligible member to role", "Add member to role")
    | mv-apply TargetResource = TargetResources on
      (
        where TargetResource.type in~ ("User", "ServicePrincipal")
        | extend Target = iff(TargetResource.type =~ "ServicePrincipal", tostring(TargetResource.displayName), tostring(TargetResource.userPrincipalName)),
        props = TargetResource.modifiedProperties
      )
    | mv-apply Property = props on
      (
        where Property.displayName =~ "Role.DisplayName"
        | extend RoleName = trim('"', tostring(Property.newValue))
      )
    | where RoleName contains "Admin" and Result == "success"
  };
  // Query for audit events in the current day
  let EventInfo_CurrentDay = awsFunc(starttime, endtime);
  // Query for audit events in the historical period (lookback)
  let EventInfo_historical = awsFunc(lookback, starttime);
  // Find unseen events by performing a left anti-join
  let EventInfo_Unseen = (EventInfo_CurrentDay
    | join kind=leftanti(EventInfo_historical) on Target, RoleName, OperationName
  );
  // Extend and clean up the results
  EventInfo_Unseen
  | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
  | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
  | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
  | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
  | extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))
  | extend Initiator = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)
  // You can uncomment the lines below to filter out PIM activations
  // | where Initiator != "MS-PIM" and Initiator != "MS-PIM-Fairfax"
  // | summarize StartTime=min(TimeGenerated), EndTime=min(TimeGenerated) by OperationName, RoleName, Target, Initiator, Result
  // Project specific columns and split them for further analysis
  | project TimeGenerated, OperationName, RoleName, Target, Initiator, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppServicePrincipalId, InitiatingIpAddress, Result
  | extend TargetName = tostring(split(Target,'@',0)[0]), TargetUPNSuffix = tostring(split(Target,'@',1)[0]), InitiatorName = tostring(split(InitiatingUserPrincipalName,'@',0)[0]), InitiatorUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@',1)[0])  
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
  - AuditLogs
  connectorId: AzureActiveDirectory
version: 1.1.1
triggerThreshold: 0

ARM