Create azure_ad_users_added_to_device_admin_roles.yml

2022-06-28 15:01:10 -07:00
parent 587b5aa6a7
commit c9e42d3dd2
1 changed files with 27 additions and 0 deletions
@@ -0,0 +1,27 @@
+title: Users added to global or device admin roles
+id: 11c767ae-500b-423b-bae3-b234450736ed
+description: Monitor and alert for users added to device admin roles.
+author: Michael Epping, '@mepples21'
+date: 2022/06/28
+references:
+  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-administrator-roles
+logsource:
+  product: azure
+  service: auditlogs
+detection:
+  selection:
+    Category:
+      - RoleManagement
+    OperationName|contains:
+      - Add* *member to role
+    TargetResources|contains:
+      - 7698a772-787b-4ac8-901f-60d6b08affd2
+      - 62e90394-69f5-4237-9190-012177145e10
+  condition: selection
+falsepositives:
+  - Unknown
+level: high
+status: experimental
+tags:
+  - attack.valid_accounts
+  - attack.t1078