Rules Contributing to Microsoft Entra Privileged Account Assignment or Elevation Alert

The following rules are used to identify suspicious Microsoft Entra privileged account assignment or elevation. Any one or more of these will trigger the Microsoft Entra Privileged Account Assignment or Elevation Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Azure Subscription Permission Elevation Via AuditLogs

Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.

More details

Rule ID

azure_35

Query

{'selection': {'Category': 'Administrative', 'OperationName': 'Assigns the caller to user access admin'}, 'condition': 'selection'}

Log Source

Stellar Cyber Microsoft Entra Events configured.

Rule Source

SigmaHQ,ca9bf243-465e-494a-9e54-bf9fc239057d

Author: Austin Songer @austinsonger

Tactics, Techniques, and Procedures

PRIVILEGE_ESCALATION, T1078

References

N/A

Additional Information

Maturity	Creation Date	Risk Level	False Positives
test	2021/11/26	high	If this was approved by System Administrator.