Threat Essentials - User Assigned Privileged Role

AuditLogs
| where Category =~ "RoleManagement"
| where AADOperationType in~ ("Assign", "AssignEligibleRole")
| where ActivityDisplayName has_any ("Add eligible member to role", "Add member to role")
| mv-expand TargetResources
| mv-expand TargetResources.modifiedProperties
| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)
| where displayName_ =~ "Role.DisplayName"
| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))
| where RoleName contains "Admin"
| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)
| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))
| extend Target = tostring(TargetResources.userPrincipalName)
| summarize by bin(TimeGenerated, 1h), OperationName,  RoleName, Target, Initiator, Result
| extend InitiatorName=split(Initiator, "@")[0], InitiatorUPNSuffix=split(Initiator, "@")[1]
| extend TargetName=split(Target, "@")[0], TargetUPNSuffix=split(Target, "@")[1]

tactics:
- Persistence
query: |
  AuditLogs
  | where Category =~ "RoleManagement"
  | where AADOperationType in~ ("Assign", "AssignEligibleRole")
  | where ActivityDisplayName has_any ("Add eligible member to role", "Add member to role")
  | mv-expand TargetResources
  | mv-expand TargetResources.modifiedProperties
  | extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)
  | where displayName_ =~ "Role.DisplayName"
  | extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))
  | where RoleName contains "Admin"
  | extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)
  | extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))
  | extend Target = tostring(TargetResources.userPrincipalName)
  | summarize by bin(TimeGenerated, 1h), OperationName,  RoleName, Target, Initiator, Result
  | extend InitiatorName=split(Initiator, "@")[0], InitiatorUPNSuffix=split(Initiator, "@")[1]
  | extend TargetName=split(Target, "@")[0], TargetUPNSuffix=split(Target, "@")[1]  
triggerOperator: gt
version: 1.0.3
queryPeriod: 2h
tags:
- AADSecOpsGuide
triggerThreshold: 0
kind: Scheduled
name: Threat Essentials - User Assigned Privileged Role
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SecurityThreatEssentialSolution/Analytic Rules/Threat_Essentials_UserAssignedPrivilegedRole.yaml
id: b09795c9-8dce-47ab-8f75-5a4afb78ef0c
queryFrequency: 2h
description: |
  'Identifies when a new privileged role is assigned to a user.  Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate.
  Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1'  
status: Available
requiredDataConnectors:
- dataTypes:
  - AuditLogs
  connectorId: AzureActiveDirectory
relevantTechniques:
- T1078.004
entityMappings:
- fieldMappings:
  - columnName: InitiatorName
    identifier: Name
  - columnName: InitiatorUPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: TargetName
    identifier: Name
  - columnName: TargetUPNSuffix
    identifier: UPNSuffix
  entityType: Account
severity: High