Azure RBAC Elevate Access
| Id | 132fdff4-c044-4855-a390-c1b71e0f833b |
| Rulename | Azure RBAC (Elevate Access) |
| Description | Detects when a Global Administrator elevates access to all subscriptions and management groups in a tenant. When a Global Administrator elevates access they are assigned the User Access Administrator role at root scope. This Microsoft Sentinel Analytic Rule monitors who has elevated access in your tenant so that admins can take appropriate action. Learn more |
| Severity | High |
| Tactics | PrivilegeEscalation |
| Techniques | T1078 |
| Required data connectors | AzureActiveDirectory |
| Kind | Scheduled |
| Query frequency | 2h |
| Query period | 2h |
| Trigger threshold | 0 |
| Trigger operator | GreaterThan |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/AzureRBAC.yaml |
| Version | 1.0.0 |
| Arm template | 132fdff4-c044-4855-a390-c1b71e0f833b.json |
AuditLogs
| where Category =~ "AzureRBACRoleManagementElevateAccess"
| where ActivityDisplayName =~ "User has elevated their access to User Access Administrator for their Azure Resources"
| extend Actor = tostring(InitiatedBy.user.userPrincipalName)
| extend IPAddress = tostring(InitiatedBy.user.ipAddress)
| project
TimeGenerated,
Actor,
OperationName,
IPAddress,
Result,
LoggedByService
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/AzureRBAC.yaml
query: |
AuditLogs
| where Category =~ "AzureRBACRoleManagementElevateAccess"
| where ActivityDisplayName =~ "User has elevated their access to User Access Administrator for their Azure Resources"
| extend Actor = tostring(InitiatedBy.user.userPrincipalName)
| extend IPAddress = tostring(InitiatedBy.user.ipAddress)
| project
TimeGenerated,
Actor,
OperationName,
IPAddress,
Result,
LoggedByService
description: |
'Detects when a Global Administrator elevates access to all subscriptions and management groups in a tenant. When a Global Administrator elevates access they are assigned the User Access Administrator role at root scope. This Microsoft Sentinel Analytic Rule monitors who has elevated access in your tenant so that admins can take appropriate action. [Learn more](https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal)'
severity: High
requiredDataConnectors:
- dataTypes:
- AuditLogs
connectorId: AzureActiveDirectory
alertRuleTemplateName:
incidentConfiguration:
groupingConfiguration:
groupByAlertDetails: []
enabled: false
reopenClosedIncident: false
lookbackDuration: PT5H
groupByEntities: []
matchingMethod: AllEntities
groupByCustomDetails: []
createIncident: true
eventGroupingSettings:
aggregationKind: SingleAlert
name: Azure RBAC (Elevate Access)
triggerThreshold: 0
entityMappings:
- entityType: Account
fieldMappings:
- columnName: Actor
identifier: Name
- entityType: IP
fieldMappings:
- columnName: IPAddress
identifier: Address
tactics:
- PrivilegeEscalation
version: 1.0.0
relevantTechniques:
- T1078
triggerOperator: GreaterThan
kind: Scheduled
id: 132fdff4-c044-4855-a390-c1b71e0f833b
suppressionEnabled: false
queryFrequency: 2h
enabled: true
queryPeriod: 2h
suppressionDuration: PT5H
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/132fdff4-c044-4855-a390-c1b71e0f833b')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/132fdff4-c044-4855-a390-c1b71e0f833b')]",
"properties": {
"alertRuleTemplateName": null,
"customDetails": null,
"description": "'Detects when a Global Administrator elevates access to all subscriptions and management groups in a tenant. When a Global Administrator elevates access they are assigned the User Access Administrator role at root scope. This Microsoft Sentinel Analytic Rule monitors who has elevated access in your tenant so that admins can take appropriate action. [Learn more](https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal)'\n",
"displayName": "Azure RBAC (Elevate Access)",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Actor",
"identifier": "Name"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPAddress",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"groupByAlertDetails": [],
"groupByCustomDetails": [],
"groupByEntities": [],
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/AzureRBAC.yaml",
"query": "AuditLogs\n| where Category =~ \"AzureRBACRoleManagementElevateAccess\"\n| where ActivityDisplayName =~ \"User has elevated their access to User Access Administrator for their Azure Resources\"\n| extend Actor = tostring(InitiatedBy.user.userPrincipalName)\n| extend IPAddress = tostring(InitiatedBy.user.ipAddress) \n| project\n TimeGenerated,\n Actor,\n OperationName,\n IPAddress,\n Result,\n LoggedByService\n",
"queryFrequency": "PT2H",
"queryPeriod": "PT2H",
"severity": "High",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": [
"PrivilegeEscalation"
],
"techniques": [
"T1078"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}