Azure RBAC Elevate Access
| Id | 132fdff4-c044-4855-a390-c1b71e0f833b |
| Rulename | Azure RBAC (Elevate Access) |
| Description | Detects when a Global Administrator elevates access to all subscriptions and management groups in a tenant. When a Global Administrator elevates access they are assigned the User Access Administrator role at root scope. This Microsoft Sentinel Analytic Rule monitors who has elevated access in your tenant so that admins can take appropriate action. Learn more |
| Severity | High |
| Tactics | PrivilegeEscalation |
| Techniques | T1078 |
| Required data connectors | AzureActiveDirectory |
| Kind | Scheduled |
| Query frequency | 2h |
| Query period | 2h |
| Trigger threshold | 0 |
| Trigger operator | GreaterThan |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/AzureRBAC.yaml |
| Version | 1.0.0 |
| Arm template | 132fdff4-c044-4855-a390-c1b71e0f833b.json |
AuditLogs
| where Category =~ "AzureRBACRoleManagementElevateAccess"
| where ActivityDisplayName =~ "User has elevated their access to User Access Administrator for their Azure Resources"
| extend Actor = tostring(InitiatedBy.user.userPrincipalName)
| extend IPAddress = tostring(InitiatedBy.user.ipAddress)
| project
TimeGenerated,
Actor,
OperationName,
IPAddress,
Result,
LoggedByService
triggerThreshold: 0
alertRuleTemplateName:
entityMappings:
- entityType: Account
fieldMappings:
- columnName: Actor
identifier: Name
- entityType: IP
fieldMappings:
- columnName: IPAddress
identifier: Address
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/AzureRBAC.yaml
requiredDataConnectors:
- dataTypes:
- AuditLogs
connectorId: AzureActiveDirectory
queryPeriod: 2h
id: 132fdff4-c044-4855-a390-c1b71e0f833b
relevantTechniques:
- T1078
triggerOperator: GreaterThan
name: Azure RBAC (Elevate Access)
description: |
'Detects when a Global Administrator elevates access to all subscriptions and management groups in a tenant. When a Global Administrator elevates access they are assigned the User Access Administrator role at root scope. This Microsoft Sentinel Analytic Rule monitors who has elevated access in your tenant so that admins can take appropriate action. [Learn more](https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal)'
kind: Scheduled
query: |
AuditLogs
| where Category =~ "AzureRBACRoleManagementElevateAccess"
| where ActivityDisplayName =~ "User has elevated their access to User Access Administrator for their Azure Resources"
| extend Actor = tostring(InitiatedBy.user.userPrincipalName)
| extend IPAddress = tostring(InitiatedBy.user.ipAddress)
| project
TimeGenerated,
Actor,
OperationName,
IPAddress,
Result,
LoggedByService
version: 1.0.0
incidentConfiguration:
createIncident: true
groupingConfiguration:
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: PT5H
groupByAlertDetails: []
groupByEntities: []
groupByCustomDetails: []
enabled: false
suppressionEnabled: false
severity: High
queryFrequency: 2h
eventGroupingSettings:
aggregationKind: SingleAlert
tactics:
- PrivilegeEscalation
enabled: true
suppressionDuration: PT5H
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/132fdff4-c044-4855-a390-c1b71e0f833b')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/132fdff4-c044-4855-a390-c1b71e0f833b')]",
"properties": {
"alertRuleTemplateName": "132fdff4-c044-4855-a390-c1b71e0f833b",
"customDetails": null,
"description": "'Detects when a Global Administrator elevates access to all subscriptions and management groups in a tenant. When a Global Administrator elevates access they are assigned the User Access Administrator role at root scope. This Microsoft Sentinel Analytic Rule monitors who has elevated access in your tenant so that admins can take appropriate action. [Learn more](https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal)'\n",
"displayName": "Azure RBAC (Elevate Access)",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Actor",
"identifier": "Name"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPAddress",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"groupByAlertDetails": [],
"groupByCustomDetails": [],
"groupByEntities": [],
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/AzureRBAC.yaml",
"query": "AuditLogs\n| where Category =~ \"AzureRBACRoleManagementElevateAccess\"\n| where ActivityDisplayName =~ \"User has elevated their access to User Access Administrator for their Azure Resources\"\n| extend Actor = tostring(InitiatedBy.user.userPrincipalName)\n| extend IPAddress = tostring(InitiatedBy.user.ipAddress) \n| project\n TimeGenerated,\n Actor,\n OperationName,\n IPAddress,\n Result,\n LoggedByService\n",
"queryFrequency": "PT2H",
"queryPeriod": "PT2H",
"severity": "High",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": [
"PrivilegeEscalation"
],
"techniques": [
"T1078"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}