From a17a2468d5df7f17f5e23a845dd9656c3a7e2f2a Mon Sep 17 00:00:00 2001
From: Mark Morowczynski <markmoro@microsoft.com>
Date: Fri, 5 Aug 2022 16:06:41 -0700
Subject: [PATCH] Create azure_priviledged_role_assignment_bulk_change.yml

Priv role assignment removal
---
 ...riviledged_role_assignment_bulk_change.yml | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 rules/cloud/azure/azure_priviledged_role_assignment_bulk_change.yml

diff --git a/rules/cloud/azure/azure_priviledged_role_assignment_bulk_change.yml b/rules/cloud/azure/azure_priviledged_role_assignment_bulk_change.yml
new file mode 100644
index 000000000..7d44ff679
--- /dev/null
+++ b/rules/cloud/azure/azure_priviledged_role_assignment_bulk_change.yml
@@ -0,0 +1,23 @@
+title: Bulk Deletion Changes To Privileged Account Permissions
+id: 102e11e3-2db5-4c9e-bc26-357d42585d21
+status: experimental
+description: Detects when a user is removed from a privileged role. Bulk changes should be investigated. 
+author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
+date: 2022/08/05
+references:
+    - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment
+logsource:
+    product: azure
+    service: auditlogs
+detection:
+    selection:
+        properties.message: 
+        - Remove eligible member (permanent)
+        - Remove eligible member (eligible)
+    condition: selection
+falsepositives:
+     - Legtimate administrator actions of removing members from a role
+tags:
+    - attack.persistence
+    - attack.t1098
+level: high