[New Rule] Azure Subscription Permission Elevation

[austinsonger]

Description

Identifies when a user has been elevated to manage all Azure Subscriptions. This setting could allow an attacker access to Azure subscriptions in your environment.

Required Info

Target indexes

filebeat-*, logs-azure*

Platforms

Azure

Optional Info

Query

(event.dataset:azure.activitylogs and 
azure.activitylogs.operation_name: "MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION" and 
event.outcome:(Success or success)) or
(event.dataset:azure.auditlogs and azure.auditlogs.operation_name: "Assigns the caller to user access admin" and 
event.outcome:(Success or success))

New fields required in ECS/data sources for this rule?

Related issues or PRs

False Positives

MITRE

Tactic	Technique ID	Technique Name	Sub-Technique Name

References

• https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#assignment-and-elevation
• https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization

[botelastic[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[botelastic[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[botelastic[bot]]

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.