Azure RBAC Elevate Access
Id | 132fdff4-c044-4855-a390-c1b71e0f833b |
Rulename | Azure RBAC (Elevate Access) |
Description | Detects when a Global Administrator elevates access to all subscriptions and management groups in a tenant. When a Global Administrator elevates access they are assigned the User Access Administrator role at root scope. This Microsoft Sentinel Analytic Rule monitors who has elevated access in your tenant so that admins can take appropriate action. Learn more |
Severity | High |
Tactics | PrivilegeEscalation |
Techniques | T1078 |
Required data connectors | AzureActiveDirectory |
Kind | Scheduled |
Query frequency | 2h |
Query period | 2h |
Trigger threshold | 0 |
Trigger operator | GreaterThan |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/AzureRBAC.yaml |
Version | 1.0.0 |
Arm template | 132fdff4-c044-4855-a390-c1b71e0f833b.json |
AuditLogs
| where Category =~ "AzureRBACRoleManagementElevateAccess"
| where ActivityDisplayName =~ "User has elevated their access to User Access Administrator for their Azure Resources"
| extend Actor = tostring(InitiatedBy.user.userPrincipalName)
| extend IPAddress = tostring(InitiatedBy.user.ipAddress)
| project
TimeGenerated,
Actor,
OperationName,
IPAddress,
Result,
LoggedByService
queryPeriod: 2h
tactics:
- PrivilegeEscalation
incidentConfiguration:
createIncident: true
groupingConfiguration:
groupByCustomDetails: []
enabled: false
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: PT5H
groupByEntities: []
groupByAlertDetails: []
suppressionEnabled: false
eventGroupingSettings:
aggregationKind: SingleAlert
relevantTechniques:
- T1078
triggerThreshold: 0
suppressionDuration: PT5H
query: |
AuditLogs
| where Category =~ "AzureRBACRoleManagementElevateAccess"
| where ActivityDisplayName =~ "User has elevated their access to User Access Administrator for their Azure Resources"
| extend Actor = tostring(InitiatedBy.user.userPrincipalName)
| extend IPAddress = tostring(InitiatedBy.user.ipAddress)
| project
TimeGenerated,
Actor,
OperationName,
IPAddress,
Result,
LoggedByService
severity: High
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Actor
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPAddress
id: 132fdff4-c044-4855-a390-c1b71e0f833b
alertRuleTemplateName:
version: 1.0.0
description: |
'Detects when a Global Administrator elevates access to all subscriptions and management groups in a tenant. When a Global Administrator elevates access they are assigned the User Access Administrator role at root scope. This Microsoft Sentinel Analytic Rule monitors who has elevated access in your tenant so that admins can take appropriate action. [Learn more](https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal)'
triggerOperator: GreaterThan
enabled: true
queryFrequency: 2h
kind: Scheduled
name: Azure RBAC (Elevate Access)
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/AzureRBAC.yaml
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/132fdff4-c044-4855-a390-c1b71e0f833b')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/132fdff4-c044-4855-a390-c1b71e0f833b')]",
"properties": {
"alertRuleTemplateName": "132fdff4-c044-4855-a390-c1b71e0f833b",
"customDetails": null,
"description": "'Detects when a Global Administrator elevates access to all subscriptions and management groups in a tenant. When a Global Administrator elevates access they are assigned the User Access Administrator role at root scope. This Microsoft Sentinel Analytic Rule monitors who has elevated access in your tenant so that admins can take appropriate action. [Learn more](https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal)'\n",
"displayName": "Azure RBAC (Elevate Access)",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Actor",
"identifier": "Name"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPAddress",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"groupByAlertDetails": [],
"groupByCustomDetails": [],
"groupByEntities": [],
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/AzureRBAC.yaml",
"query": "AuditLogs\n| where Category =~ \"AzureRBACRoleManagementElevateAccess\"\n| where ActivityDisplayName =~ \"User has elevated their access to User Access Administrator for their Azure Resources\"\n| extend Actor = tostring(InitiatedBy.user.userPrincipalName)\n| extend IPAddress = tostring(InitiatedBy.user.ipAddress) \n| project\n TimeGenerated,\n Actor,\n OperationName,\n IPAddress,\n Result,\n LoggedByService\n",
"queryFrequency": "PT2H",
"queryPeriod": "PT2H",
"severity": "High",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": [
"PrivilegeEscalation"
],
"techniques": [
"T1078"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}