-
Notifications
You must be signed in to change notification settings - Fork 3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #9310 from scorgatelli/scorgatelli-role-assignment…
…-rule Detect privileged role assignments ignoring PIM activations (#9218)
- Loading branch information
Showing
1 changed file
with
65 additions
and
0 deletions.
There are no files selected for viewing
65 changes: 65 additions & 0 deletions
65
Solutions/Azure Active Directory/Analytic Rules/UserAssignedNewPrivilegedRole.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,65 @@ | ||
| id: 746ddb63-f51b-4563-b449-a8b13cf302ec | ||
| name: User Assigned New Privileged Role | ||
| description: | | ||
| 'Identifies when a new eligible or active privileged role is assigned to a user. Does not alert on PIM activations. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate. | ||
| Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1' | ||
| severity: High | ||
| requiredDataConnectors: | ||
| - connectorId: AzureActiveDirectory | ||
| dataTypes: | ||
| - AuditLogs | ||
| queryFrequency: 2h | ||
| queryPeriod: 2h | ||
| triggerOperator: gt | ||
| triggerThreshold: 0 | ||
| status: Available | ||
| tactics: | ||
| - Persistence | ||
| relevantTechniques: | ||
| - T1078.004 | ||
| tags: | ||
| - AADSecOpsGuide | ||
| query: | | ||
| AuditLogs | ||
| | where Category =~ "RoleManagement" | ||
| | where AADOperationType in ("Assign", "AssignEligibleRole", "CreateRequestGrantedRole", "CreateRequestPermanentEligibleRole", "CreateRequestPermanentGrantedRole") | ||
| | where ActivityDisplayName has_any ("Add eligible member to role", "Add member to role") | ||
| | mv-apply TargetResourceSubject = TargetResources on | ||
| ( | ||
| where TargetResourceSubject.type in~ ("User", "ServicePrincipal") | ||
| | extend Target = iff(TargetResourceSubject.type =~ "ServicePrincipal", tostring(TargetResourceSubject.displayName), tostring(TargetResourceSubject.userPrincipalName)), | ||
| subjectProps = TargetResourceSubject.modifiedProperties | ||
| ) | ||
| | mv-apply TargetResourceRole = TargetResources on | ||
| ( | ||
| // mimic modifiedProperties so we can use the same logic to get the role name regardless of where it comes from | ||
| where TargetResourceRole.type in~ ("Role") | ||
| | extend roleProps = pack_array(bag_pack("displayName","Role.DisplayName", "newValue", TargetResourceRole.displayName)) | ||
| ) | ||
| | mv-apply Property = iff(array_length(subjectProps) > 0, subjectProps, roleProps) on | ||
| ( | ||
| where Property.displayName =~ "Role.DisplayName" | ||
| | extend RoleName = trim('"',tostring(Property.newValue)) | ||
| ) | ||
| | where RoleName contains "Admin" | ||
| | extend InitiatingApp = tostring(InitiatedBy.app.displayName) | ||
| | extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(InitiatedBy.user.userPrincipalName)) | ||
| // Comment below to alert for PIM activations | ||
| | where Initiator != "MS-PIM" | ||
| | summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result | ||
| | extend TargetName = tostring(split(Target,'@',0)[0]), TargetUPNSuffix = tostring(split(Target,'@',1)[0]), InitiatorName = tostring(split(Initiator,'@',0)[0]), InitiatorUPNSuffix = tostring(split(Initiator,'@',1)[0]) | ||
| entityMappings: | ||
| - entityType: Account | ||
| fieldMappings: | ||
| - identifier: Name | ||
| columnName: TargetName | ||
| - identifier: UPNSuffix | ||
| columnName: TargetUPNSuffix | ||
| - entityType: Account | ||
| fieldMappings: | ||
| - identifier: Name | ||
| columnName: InitiatorName | ||
| - identifier: UPNSuffix | ||
| columnName: InitiatorUPNSuffix | ||
| version: 1.0.0 | ||
| kind: Scheduled |