Rules Contributing to Microsoft Entra Privileged Account Assignment or Elevation Alert
The following rules are used to identify suspicious Microsoft Entra privileged account assignment or elevation. Any one or more of these will trigger the Microsoft Entra Privileged Account Assignment or Elevation Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
Azure Subscription Permission Elevation via AuditLogs |
Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment. More details
Rule IDQuery{'selection': {'Category': 'Administrative', 'OperationName': 'Assigns the caller to user access admin'}, 'condition': 'selection'} Log SourceStellar Cyber Microsoft Entra Events configured. Rule SourceSigmaHQ,ca9bf243-465e-494a-9e54-bf9fc239057d Author: Austin Songer @austinsonger Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|