From c9e42d3dd2e6135cb00dc1ecfc02a9cd09101e8a Mon Sep 17 00:00:00 2001
From: Michael Epping <19227815+mepples21@users.noreply.github.com>
Date: Tue, 28 Jun 2022 15:01:10 -0700
Subject: [PATCH] Create azure_ad_users_added_to_device_admin_roles.yml

---
 ...e_ad_users_added_to_device_admin_roles.yml | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 rules/cloud/azure/azure_ad_users_added_to_device_admin_roles.yml

diff --git a/rules/cloud/azure/azure_ad_users_added_to_device_admin_roles.yml b/rules/cloud/azure/azure_ad_users_added_to_device_admin_roles.yml
new file mode 100644
index 000000000..3a1963000
--- /dev/null
+++ b/rules/cloud/azure/azure_ad_users_added_to_device_admin_roles.yml
@@ -0,0 +1,27 @@
+title: Users added to global or device admin roles
+id: 11c767ae-500b-423b-bae3-b234450736ed
+description: Monitor and alert for users added to device admin roles.
+author: Michael Epping, '@mepples21'
+date: 2022/06/28
+references:
+  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-administrator-roles
+logsource:
+  product: azure
+  service: auditlogs
+detection:
+  selection:
+    Category:
+      - RoleManagement
+    OperationName|contains:
+      - Add* *member to role
+    TargetResources|contains:
+      - 7698a772-787b-4ac8-901f-60d6b08affd2
+      - 62e90394-69f5-4237-9190-012177145e10
+  condition: selection
+falsepositives:
+  - Unknown
+level: high
+status: experimental
+tags:
+  - attack.valid_accounts
+  - attack.t1078