Techniques
Sample rules
Azure AD Privileged Role Assigned
- source: splunk
- technicques:
- T1098
- T1098.003
Description
The following analytic identifies the assignment of sensitive and privileged Azure Active Directory roles to an Azure AD user. Adversaries and red teams alike may assign these roles to a compromised account to establish Persistence in an Azure AD environment.
Detection logic
`azure_monitor_aad` "operationName"="Add member to role"
| rename properties.* as *
| rename initiatedBy.user.userPrincipalName as initiatedBy
| rename targetResources{}.modifiedProperties{}.newValue as roles
| eval role=mvindex(roles,1)
| lookup privileged_azure_ad_roles azureadrole AS role OUTPUT isprvilegedadrole description
| search isprvilegedadrole = True
| stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName, role, description
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_privileged_role_assigned_filter`