Techniques
Sample rules
O365 High Privilege Role Granted
- source: splunk
- technicques:
- T1098
- T1098.003
Description
The following analytic detects when high-privilege roles such as “Exchange Administrator,” “SharePoint Administrator,” or “Global Administrator” are granted within Office 365. It leverages O365 audit logs to identify events where these roles are assigned to any user or service account. This activity is significant for SOCs as these roles provide extensive permissions, allowing broad access and control over critical resources and data. If confirmed malicious, this could enable attackers to gain significant control over O365 resources, access, modify, or delete critical data, and compromise the overall security and functionality of the O365 environment.
Detection logic
`o365_management_activity` Operation="Add member to role." Workload=AzureActiveDirectory
| eval role_id = mvindex('ModifiedProperties{}.NewValue',2)
| eval role_name = mvindex('ModifiedProperties{}.NewValue',1)
| where role_id IN ("29232cdf-9323-42fd-ade2-1d097af3e4de", "f28a1f50-f6e7-4571-818b-6a12f2af6b6c", "62e90394-69f5-4237-9190-012177145e10")
| stats earliest(_time) as firstTime latest(_time) as lastTime by user Operation ObjectId role_name
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_high_privilege_role_granted_filter`