forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpersistence_azure_pim_user_added_global_admin.toml
61 lines (53 loc) · 2.26 KB
/
persistence_azure_pim_user_added_global_admin.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
[metadata]
creation_date = "2020/09/24"
maturity = "production"
updated_date = "2021/07/20"
integration = "azure"
[rule]
author = ["Elastic"]
description = """
Identifies an Azure Active Directory (AD) Global Administrator role addition to a Privileged Identity Management (PIM)
user account. PIM is a service that enables you to manage, control, and monitor access to important resources in an
organization. Users who are assigned to the Global administrator role can read and modify any administrative setting in
your Azure AD organization.
"""
false_positives = [
"""
Global administrator additions may be done by a system or network administrator. Verify whether the username,
hostname, and/or resource name should be making changes in your environment. Global administrator additions from
unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted
from the rule.
""",
]
index = ["filebeat-*", "logs-azure*"]
language = "kuery"
license = "Elastic License v2"
name = "Azure Global Administrator Role Addition to PIM User"
note = """## Config
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
"https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles",
]
risk_score = 73
rule_id = "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8"
severity = "high"
tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and
azure.auditlogs.operation_name:("Add eligible member to role in PIM completed (permanent)" or
"Add member to role in PIM completed (timebound)") and
azure.auditlogs.properties.target_resources.*.display_name:"Global Administrator" and
event.outcome:(Success or success)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"