Merge pull request #3331 from MarkMorow/markmorow

Create azure_priviledged_role_assignment_bulk_change.yml

rules/cloud/azure/azure_priviledged_role_assignment_bulk_change.yml

@@ -0,0 +1,23 @@
+title: Bulk Deletion Changes To Privileged Account Permissions
+id: 102e11e3-2db5-4c9e-bc26-357d42585d21
+status: experimental
+description: Detects when a user is removed from a privileged role. Bulk changes should be investigated. 
+author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
+date: 2022/08/05
+references:
+    - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment
+logsource:
+    product: azure
+    service: auditlogs
+detection:
+    selection:
+        properties.message: 
+        - Remove eligible member (permanent)
+        - Remove eligible member (eligible)
+    condition: selection
+falsepositives:
+     - Legtimate administrator actions of removing members from a role
+tags:
+    - attack.persistence
+    - attack.t1098
+level: high