Azure Global Administrator Role Addition to PIM Useredit
Identifies an Azure Active Directory (AD) Global Administrator role addition to a Privileged Identity Management (PIM) user account. PIM is a service that enables you to manage, control, and monitor access to important resources in an organization. Users who are assigned to the Global administrator role can read and modify any administrative setting in your Azure AD organization.
Rule type: query
Rule indices:
- filebeat-*
Severity: high
Risk score: 73
Runs every: 5 minutes
Searches indices from: now-6m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Cloud
- Azure
- Continuous Monitoring
- SecOps
- Identity and Access
Version: 1
Added (Elastic Stack release): 7.10.0
Rule authors: Elastic
Rule license: Elastic License
Potential false positivesedit
Global administrator additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Global administrator additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
Investigation guideedit
The Azure Filebeat module must be enabled to use this rule.
Rule queryedit
event.dataset:azure.auditlogs and
azure.auditlogs.properties.category:RoleManagement and
azure.auditlogs.operation_name:("Add eligible member to role in PIM
completed (permanent)" or "Add member to role in PIM completed
(timebound)") and
azure.auditlogs.properties.target_resources.*.display_name:"Global
Administrator" and event.outcome:Success
Threat mappingedit
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Account Manipulation
- ID: T1098
- Reference URL: https://attack.mitre.org/techniques/T1098/