diff --git a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml
new file mode 100644
index 000000000..29e68ee6f
--- /dev/null
+++ b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml
@@ -0,0 +1,57 @@
+[metadata]
+creation_date = "2022/01/06"
+integration = "azure"
+maturity = "production"
+updated_date = "2022/01/06"
+
+[rule]
+author = ["Elastic"]
+description = """
+In Azure Active Directory (Azure AD), permissions to manage resources are assigned using Roles. The Global Administrator
+is a role that enables users to have access to all administrative features in Azure AD and services that use Azure
+Active Directory identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange,
+SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access
+and manage all subscriptions and their settings and resources.
+"""
+from = "now-25m"
+index = ["filebeat-*", "logs-azure*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Azure AD Global Administrator Role Assigned"
+note = """## Config
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+references = [
+    "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator"
+]
+risk_score = 47
+rule_id = "04c5a96f-19c5-44fd-9571-a0b033f9086f"
+severity = "medium"
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and
+azure.auditlogs.operation_name:"Add member to role" and
+azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:"\"Global Administrator\""
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+reference = "https://attack.mitre.org/techniques/T1098/"
+name = "Account Manipulation"
+id = "T1098"
+
+    [[rule.threat.technique.subtechnique]]
+    reference = "https://attack.mitre.org/techniques/T1098/003/"
+    name = "Add Office 365 Global Administrator Role"
+    id = "T1098.003"
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
diff --git a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml
new file mode 100644
index 000000000..5036d1d4a
--- /dev/null
+++ b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml
@@ -0,0 +1,56 @@
+[metadata]
+creation_date = "2022/01/06"
+integration = "o365"
+maturity = "production"
+updated_date = "2022/01/06"
+
+[rule]
+author = ["Elastic"]
+description = """
+In Azure Active Directory (Azure AD), permissions to manage resources are assigned using Roles. The Global Administrator
+is a role that enables users to have access to all administrative features in Azure AD and services that use Azure
+Active Directory identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange,
+SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access
+and manage all subscriptions and their settings and resources.
+"""
+from = "now-25m"
+index = ["filebeat-*", "logs-o365*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Microsoft 365 Global Administrator Role Assigned"
+note = """## Config
+
+The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+references = [
+    "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator"
+]
+risk_score = 47
+rule_id = "88671231-6626-4e1b-abb7-6e361a171fbb"
+severity = "medium"
+tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Identity and Access"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:o365.audit and event.code:"AzureActiveDirectory" and event.action:"Add member to role." and
+o365.audit.ModifiedProperties.Role_DisplayName.NewValue:"Global Administrator"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+reference = "https://attack.mitre.org/techniques/T1098/"
+name = "Account Manipulation"
+id = "T1098"
+
+    [[rule.threat.technique.subtechnique]]
+    reference = "https://attack.mitre.org/techniques/T1098/003/"
+    name = "Add Office 365 Global Administrator Role"
+    id = "T1098.003"
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"