Techniques
Sample rules
Bulk Deletion Changes To Privileged Account Permissions
- source: sigma
- technicques:
- t1098
Description
Detects when a user is removed from a privileged role. Bulk changes should be investigated.
Detection logic
condition: selection
selection:
properties.message:
- Remove eligible member (permanent)
- Remove eligible member (eligible)