LoFP / legtimate administrator actions of adding members from a role

Techniques

• t1078
• t1078.004

Sample rules

User Added To Privilege Role

• source: sigma
• technicques:
  • t1078
  • t1078.004

Description

Detects when a user is added to a privileged role.

Detection logic

condition: selection
selection:
  properties.message:
  - Add eligible member (permanent)
  - Add eligible member (eligible)