LoFP
/
t1098.003
t1098.003
Title
Tags
administrator roles could be assigned to users or group by other admin users.
t1098
t1098.003
okta
sigma
administrators may legitimately assign the application administrator role to a user. filter as needed.
t1098
t1098.003
azure active directory
splunk
administrators may legitimately assign the global administrator role to a user. filter as needed.
t1098.003
azure active directory
splunk
administrators may legitimately assign the privileged roles to service principals as part of administrative tasks. filter as needed.
t1098
t1098.003
azure active directory
splunk
administrators will legitimately assign the privileged roles users as part of administrative tasks. filter as needed.
t1098
t1098.003
azure active directory
splunk
as part of legitimate administrative behavior, users may activate pim roles. filter as needed
t1098
t1098.003
azure active directory
splunk
as part of legitimate administrative behavior, users may be assigned pim roles. filter as needed
t1098
t1098.003
azure active directory
splunk
legitimate administrative activities changing the access levels for an application
t1098
t1098.003
gcp
sigma
legitimate applications may be granted tenant wide consent, filter as needed.
t1098
t1098.003
azure tenant
o365 tenant
splunk
pim (privileged identity management) generates this event each time 'eligible role' is enabled.
t1078
t1098
t1098.003
azure
sigma
privilege roles may be assigned for legitimate purposes, filter as needed.
t1098
t1098.003
o365 tenant
splunk
service principals are sometimes configured to legitimately bypass the consent process for purposes of automation. filter as needed.
t1098.003
azure active directory
o365 tenant
splunk
the full_access_as_app api permission may be assigned to legitimate applications. filter as needed.
T1098.002
t1098.003
o365 tenant
azure active directory
splunk
there are legitimate scenarios in wich an application registrations requires mailbox read access. filter as needed.
t1098
t1098.003
t1114
T1114.002
o365 tenant
splunk
valid change
t1003
t1098
t1098.003
azure
sigma
validate the actor if permitted to access the repo.
t1098
t1098.001
t1098.003
t1213
t1213.003
github
sigma
validate the multifactor authentication changes.
t1098
t1098.001
t1098.003
t1213
t1213.003
github
sigma
when the permission is legitimately needed for the app
t1098
t1098.003
t1528
azure
sigma