LoFP / pim (privileged identity management) generates this event each time 'eligible role' is enabled.

Techniques

• t1078
• t1098
• t1098.003

Sample rules

User Added to an Administrator’s Azure AD Role

• source: sigma
• technicques:
  • t1078
  • t1098
  • t1098.003

Description

User Added to an Administrator’s Azure AD Role

Detection logic

condition: selection
selection:
  ModifiedProperties{}.NewValue|endswith:
  - Admins
  - Administrator
  Operation: Add member to role.
  Workload: AzureActiveDirectory