Rules Contributing to Microsoft Entra Changes to Privileged Role Assignment Alert
The following rules are used to identify suspicious Microsoft Entra changes to privileged role assignment. Any one or more of these will trigger the Microsoft Entra Changes to Privileged Role Assignment Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
Bulk Deletion Changes To Privileged Account Permissions |
Detects when a user is removed from a privileged role. Bulk changes should be investigated. More details
Rule IDQuery{'selection': {'properties_message': ['Remove eligible member (permanent)', 'Remove eligible member (eligible)']}, 'condition': 'selection'} Log SourceStellar Cyber Microsoft Entra Events configured. Rule SourceSigmaHQ,102e11e3-2db5-4c9e-bc26-357d42585d21 Author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' Tactics, Techniques, and ProceduresPRIVILEGE_ESCALATION, T1078.004 References
N/A
Severity75 Suppression Logic Based On
Additional Information
|
||||||||
PIM Approvals And Deny Elevation |
Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated. More details
Rule IDQuery{'selection': {'properties_message': 'Request Approved/Denied'}, 'condition': 'selection'} Log SourceStellar Cyber Microsoft Entra Events configured. Rule SourceSigmaHQ,039a7469-0296-4450-84c0-f6966b16dc6d Author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' Tactics, Techniques, and ProceduresPRIVILEGE_ESCALATION, T1078.004 References
N/A
Severity75 Suppression Logic Based On
Additional Information
|
||||||||
User Added To Privilege Role |
Detects when a user is added to a privileged role. More details
Rule IDQuery{'selection': {'properties_message': ['Add eligible member (permanent)', 'Add eligible member (eligible)']}, 'condition': 'selection'} Log SourceStellar Cyber Microsoft Entra Events configured. Rule SourceSigmaHQ,49a268a4-72f4-4e38-8a7b-885be690c5b5 Author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' Tactics, Techniques, and ProceduresPRIVILEGE_ESCALATION, T1078.004 References
N/A
Severity75 Suppression Logic Based On
Additional Information
|