IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Azure Global Administrator Role Addition to PIM User
editAzure Global Administrator Role Addition to PIM User
editIdentifies an Azure Active Directory (AD) Global Administrator role addition to a Privileged Identity Management (PIM) user account. PIM is a service that enables you to manage, control, and monitor access to important resources in an organization. Users who are assigned to the Global Administrator role can read and modify any administrative setting in your Azure AD organization.
Rule type: query
Rule indices:
- filebeat-*
- logs-azure*
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: None (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Cloud
- Azure
- Continuous Monitoring
- SecOps
- Identity and Access
Version: 8
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
edit## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
Rule query
editevent.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and azure.auditlogs.operation_name:("Add eligible member to role in PIM completed (permanent)" or "Add member to role in PIM completed (timebound)") and azure.auditlogs.properties.target_resources.*.display_name:"Global Administrator" and event.outcome:(Success or success)
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Account Manipulation
- ID: T1098
- Reference URL: https://attack.mitre.org/techniques/T1098/