Techniques
Sample rules
Azure AD Global Administrator Role Assigned
- source: splunk
- technicques:
- T1098.003
Description
The following analytic detects the assignment of the Azure AD Global Administrator role to a user. It leverages Azure Active Directory AuditLogs to identify when the “Add member to role” operation includes the “Global Administrator” role. This activity is significant because the Global Administrator role grants extensive access to data, resources, and settings, similar to a Domain Administrator in traditional AD environments. If confirmed malicious, this could allow an attacker to establish persistence, escalate privileges, and potentially gain control over Azure resources, posing a severe security risk.
Detection logic
`azure_monitor_aad` operationName="Add member to role" properties.targetResources{}.modifiedProperties{}.newValue="\"Global Administrator\""
| rename properties.* as *
| rename initiatedBy.user.userPrincipalName as initiatedBy
| stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_global_administrator_role_assigned_filter`