[Rule Tuning] Microsoft Entra ID Elevated Access to User Access Administrator #5106
Description
Summary
The Microsoft Entra ID Elevated Access to User Access Administrator rule could be tuned to reduce the New Terms window to 7 days, instead of 14. With an extended window period as such, we may run into FNs where adversaries overlap with temporary User Access Administrator escalation to Azure Resources as the admin does for administrator. This rule is also very low volume (< 100) in last 6 months so we should not expect any sudden spike in noise. New Terms should also help with perforamnce.
Severity has also been increased as this is a common but critical vector for adversaries moving from ATO of an Entra ID Global Admin to Azure Resource takeover.
This rule will correlate with another new rule that identifies when User Access Administrator is assigned via Azure, not Entra ID. The logic should not overlap, resulting in duplicate alerts as one is a self-elevating action and the other an assignment by an admin.