diff --git a/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml b/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml index 232a1364d34..90660c36cb0 100644 --- a/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml +++ b/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml @@ -2,7 +2,7 @@ creation_date = "2025/05/22" integration = ["azure"] maturity = "production" -updated_date = "2025/05/22" +updated_date = "2025/09/15" [rule] author = ["Elastic", "Austin Songer"] @@ -23,7 +23,7 @@ note = """## Triage and Analysis ### Investigating Microsoft Entra ID Elevated Access to User Access Administrator -This rule identifies when a user elevates their permissions to the "User Access Administrator" role in Microsoft Entra ID (Azure AD). This role allows full control over access management for Azure resources and can be abused by attackers for lateral movement, persistence, or privilege escalation. Since this is a **New Terms** rule, the alert will only trigger if the user has not performed this elevation in the past 14 days, helping reduce alert fatigue. +This rule identifies when a user elevates their permissions to the "User Access Administrator" role in Azure RBAC. This role allows full control over access management for Azure resources and can be abused by attackers for lateral movement, persistence, or privilege escalation. Since this is a New Terms rule, the alert will only trigger if the user has not performed this elevation in the past 14 days, helping reduce alert fatigue. ### Possible investigation steps @@ -61,12 +61,14 @@ This rule identifies when a user elevates their permissions to the "User Access references = [ "https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal%2Centra-audit-logs/", "https://permiso.io/blog/azures-apex-permissions-elevate-access-the-logs-security-teams-overlook", + "https://www.microsoft.com/en-us/security/blog/2025/08/27/storm-0501s-evolving-techniques-lead-to-cloud-based-ransomware/" ] -risk_score = 47 +risk_score = 73 rule_id = "8d9c4128-372a-11f0-9d8f-f661ea17fbcd" -severity = "medium" +severity = "high" tags = [ "Domain: Cloud", + "Domain: Identity", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Data Source: Microsoft Entra ID Audit Logs", @@ -79,8 +81,10 @@ type = "new_terms" query = ''' event.dataset: azure.auditlogs - and azure.auditlogs.operation_name: "User has elevated their access to User Access Administrator for their Azure Resources" - and event.outcome: "success" + and ( + azure.auditlogs.operation_name: "User has elevated their access to User Access Administrator for their Azure Resources" or + azure.auditlogs.properties.additional_details.value: "Microsoft.Authorization/elevateAccess/action" + ) and event.outcome: "success" ''' @@ -107,6 +111,6 @@ field = "new_terms_fields" value = ["azure.auditlogs.properties.initiated_by.user.userPrincipalName"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-14d" +value = "now-7d"