Azure AD member assigned built-in Administrator role
Set up the azure integration.
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect an Azure Active Directory (Azure AD) member being added to a built-in Administrative role.
Strategy
Monitor Azure AD Audit logs for the following operations:
@evt.name:"Add member to role"
@properties.targetResources.modifiedProperties.newValue:*Administrator*
Azure AD uses roles to assign privileges to identities. There are over 80 roles available, the list below details some of the highest privileged roles that adversaries could target:
This whitepaper from Mandiant describes the abuse of Azure AD privileged roles.
The field @usr.id
is the identity that actioned the change, and the fields @properties.targetResources.userPrincipalName
or @properties.targetResources.displaylName
is the identity being assigned the administrative privileges.
Triage and response
- Determine if
{{@usr.id}}
should have made a {{@evt.name}}
API call. - If the API call was not made by the user:
- Rotate user credentials.
- Determine what other API calls were made by the user.
- Begin your organization’s incident response (IR) process and investigate.
- If the API call was made legitimately by the user:
- Determine if
{{@usr.id}}
was authorized to make the change. - Follow Microsoft’s best practices where possible to ensure the user was assigned the correct level of privileges for their function.
Changelog
- 19 December 2023 - Updated group by values to include
@properties.targetResources.userPrincipalName
- 19 September 2024 - Updated with additional query to capture service principals being assigned administrative roles.