Azure Global Administrator Role Addition to PIM User
editAzure Global Administrator Role Addition to PIM User
editIdentifies an Azure Active Directory (AD) Global Administrator role addition to a Privileged Identity Management (PIM) user account. PIM is a service that enables you to manage, control, and monitor access to important resources in an organization. Users who are assigned to the Global administrator role can read and modify any administrative setting in your Azure AD organization.
Rule type: query
Rule indices:
- filebeat-*
- logs-azure*
Severity: high
Risk score: 73
Runs every: 5 minutes
Searches indices from: now-6m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Cloud
- Azure
- Continuous Monitoring
- SecOps
- Identity and Access
Version: 101 (version history)
Added (Elastic Stack release): 7.10.0
Last modified (Elastic Stack release): 8.6.0
Rule authors: Elastic
Rule license: Elastic License v2
Potential false positives
editGlobal administrator additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Global administrator additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
Investigation guide
editRule query
editevent.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and azure.auditlogs.operation_name:("Add eligible member to role in PIM completed (permanent)" or "Add member to role in PIM completed (timebound)") and azure.auditlogs.properties.target_resources.*.display_name:"Global Administrator" and event.outcome:(Success or success)
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Account Manipulation
- ID: T1098
- Reference URL: https://attack.mitre.org/techniques/T1098/
Rule version history
edit- Version 101 (8.6.0 release)
-
- Formatting only
- Version 100 (8.5.0 release)
-
- Formatting only
- Version 7 (8.4.0 release)
-
- Formatting only
- Version 5 (7.13.0 release)
-
- Formatting only
- Version 4 (7.12.0 release)
-
- Formatting only
- Version 3 (7.11.2 release)
-
- Formatting only
- Version 2 (7.11.0 release)
-
-
Updated query, changed from:
event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and azure.auditlogs.operation_name:("Add eligible member to role in PIM completed (permanent)" or "Add member to role in PIM completed (timebound)") and azure.auditlogs.properties.target_resources.*.display_name:"Global Administrator" and event.outcome:Success
-