Rules Contributing to Suspicious Azure Account Permission Elevation Alert
The following rules are used to identify suspicious Azure account permission elevation. Any one or more of these will trigger the Suspicious Azure Account Permission Elevation Alert. Details for each rule can be viewed by clicking the More Details link in the description.
|
Title |
Description |
||||||||
|---|---|---|---|---|---|---|---|---|---|
|
Azure Subscription Permission Elevation Via ActivityLogs |
Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment. More details
Rule IDQuery{'selection': {'operationName': 'MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION'}, 'condition': 'selection'} Log SourceStellar Cyber Microsoft Entra Events configured. Rule SourceSigmaHQ,09438caa-07b1-4870-8405-1dbafe3dad95 Author: Austin Songer @austinsonger Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
|
Granting Of Permissions To An Account |
Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used. More details
Rule IDQuery{'selection': {'OperationNameValue': ['Microsoft.Authorization/roleAssignments/write']}, 'condition': 'selection'} Log SourceStellar Cyber Microsoft Entra Events configured. Rule SourceSigmaHQ,a622fcd2-4b5a-436a-b8a2-a4171161833c Author: sawwinnnaung Tactics, Techniques, and ProceduresReferencesSeverity50 Suppression Logic Based On
Additional Information
|
