Azure RBAC Elevate Access
| Id | 132fdff4-c044-4855-a390-c1b71e0f833b |
| Rulename | Azure RBAC (Elevate Access) |
| Description | Detects when a Global Administrator elevates access to all subscriptions and management groups in a tenant. When a Global Administrator elevates access they are assigned the User Access Administrator role at root scope. This Microsoft Sentinel Analytic Rule monitors who has elevated access in your tenant so that admins can take appropriate action. Learn more |
| Severity | High |
| Tactics | PrivilegeEscalation |
| Techniques | T1078 |
| Required data connectors | AzureActiveDirectory |
| Kind | Scheduled |
| Query frequency | 2h |
| Query period | 2h |
| Trigger threshold | 0 |
| Trigger operator | GreaterThan |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/AzureRBAC.yaml |
| Version | 1.0.0 |
| Arm template | 132fdff4-c044-4855-a390-c1b71e0f833b.json |
AuditLogs
| where Category =~ "AzureRBACRoleManagementElevateAccess"
| where ActivityDisplayName =~ "User has elevated their access to User Access Administrator for their Azure Resources"
| extend Actor = tostring(InitiatedBy.user.userPrincipalName)
| extend IPAddress = tostring(InitiatedBy.user.ipAddress)
| project
TimeGenerated,
Actor,
OperationName,
IPAddress,
Result,
LoggedByService
suppressionEnabled: false
id: 132fdff4-c044-4855-a390-c1b71e0f833b
query: |
AuditLogs
| where Category =~ "AzureRBACRoleManagementElevateAccess"
| where ActivityDisplayName =~ "User has elevated their access to User Access Administrator for their Azure Resources"
| extend Actor = tostring(InitiatedBy.user.userPrincipalName)
| extend IPAddress = tostring(InitiatedBy.user.ipAddress)
| project
TimeGenerated,
Actor,
OperationName,
IPAddress,
Result,
LoggedByService
suppressionDuration: PT5H
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/AzureRBAC.yaml
description: |
'Detects when a Global Administrator elevates access to all subscriptions and management groups in a tenant. When a Global Administrator elevates access they are assigned the User Access Administrator role at root scope. This Microsoft Sentinel Analytic Rule monitors who has elevated access in your tenant so that admins can take appropriate action. [Learn more](https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal)'
name: Azure RBAC (Elevate Access)
incidentConfiguration:
groupingConfiguration:
matchingMethod: AllEntities
groupByEntities: []
groupByAlertDetails: []
enabled: false
reopenClosedIncident: false
lookbackDuration: PT5H
groupByCustomDetails: []
createIncident: true
relevantTechniques:
- T1078
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Actor
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPAddress
triggerThreshold: 0
alertRuleTemplateName:
severity: High
requiredDataConnectors:
- dataTypes:
- AuditLogs
connectorId: AzureActiveDirectory
eventGroupingSettings:
aggregationKind: SingleAlert
enabled: true
queryFrequency: 2h
queryPeriod: 2h
version: 1.0.0
kind: Scheduled
tactics:
- PrivilegeEscalation
triggerOperator: GreaterThan
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/132fdff4-c044-4855-a390-c1b71e0f833b')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/132fdff4-c044-4855-a390-c1b71e0f833b')]",
"properties": {
"alertRuleTemplateName": "132fdff4-c044-4855-a390-c1b71e0f833b",
"customDetails": null,
"description": "'Detects when a Global Administrator elevates access to all subscriptions and management groups in a tenant. When a Global Administrator elevates access they are assigned the User Access Administrator role at root scope. This Microsoft Sentinel Analytic Rule monitors who has elevated access in your tenant so that admins can take appropriate action. [Learn more](https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal)'\n",
"displayName": "Azure RBAC (Elevate Access)",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Actor",
"identifier": "Name"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPAddress",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"groupByAlertDetails": [],
"groupByCustomDetails": [],
"groupByEntities": [],
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/AzureRBAC.yaml",
"query": "AuditLogs\n| where Category =~ \"AzureRBACRoleManagementElevateAccess\"\n| where ActivityDisplayName =~ \"User has elevated their access to User Access Administrator for their Azure Resources\"\n| extend Actor = tostring(InitiatedBy.user.userPrincipalName)\n| extend IPAddress = tostring(InitiatedBy.user.ipAddress) \n| project\n TimeGenerated,\n Actor,\n OperationName,\n IPAddress,\n Result,\n LoggedByService\n",
"queryFrequency": "PT2H",
"queryPeriod": "PT2H",
"severity": "High",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": [
"PrivilegeEscalation"
],
"techniques": [
"T1078"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}