Azure Authorization Azure-Microsoft.Authorization

3 operations, identified by operationName in the audit log.

operationName	Description
_catch_all	Catch-all for Azure-Microsoft.Authorization rules matching the resource provider but no specific operation.
Microsoft.Authorization/elevateAccess/action	Grants the calling Global Administrator the User Access Administrator role over all Azure subscriptions and management groups at root scope; a high-privilege escalation path.
Microsoft.Authorization/roleAssignments/write	Creates or updates an Azure RBAC role assignment, granting a principal access to a scope; a primary persistence and privilege-escalation control-plane operation.

_catch_all: Azure Authorization (catch-all)

Resource provider: Azure-Microsoft.Authorization

Description

Catch-all for Azure-Microsoft.Authorization rules matching the resource provider but no specific operation.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Authorization/elevateAccess/action

Resource provider: Azure-Microsoft.Authorization

Description

Grants the calling Global Administrator the User Access Administrator role over all Azure subscriptions and management groups at root scope; a high-privilege escalation path.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Detection Rules #

View all rules referencing this event →

Sigma #

Azure Subscription Permission Elevation Via ActivityLogs source high: Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

Microsoft.Authorization/roleAssignments/write

Resource provider: Azure-Microsoft.Authorization

Description

Creates or updates an Azure RBAC role assignment, granting a principal access to a scope; a primary persistence and privilege-escalation control-plane operation.

Fields #

Name	Description
`OperationName`	Localized display name of the ARM operation. Sentinel also exposes OperationNameValue (the uppercase ARM operation string the catalog keys on).
`OperationNameValue`	The ARM operation string (e.g. MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE). The per-event discriminator; case-insensitive.
`ResourceProvider`	The Azure resource-provider namespace (e.g. Microsoft.Compute).
`ResourceId`	Full ARM resource id the operation acted on.
`Caller`	Identity that initiated the operation (UPN, object id, or service principal).
`CallerIpAddress`	IP address of the caller.
`ActivityStatusValue`	Operation status (Started, Succeeded, Failed, Accepted).
`Level`	Severity level of the activity record (Informational, Warning, Error, Critical).
`Authorization`	RBAC authorization context: the action evaluated, scope, and role assignment.
`Properties`	Operation-specific properties bag; shape varies by operation.
`SubscriptionId`	GUID of the subscription the resource belongs to.
`TimeGenerated`	UTC timestamp when the event was recorded.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`count_`	ge	`5`	1 rule	kusto
`operationName`	eq	`MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE`	1 rule	panther, sigma
`properties.statusCode`	eq	`Created`	1 rule	sigma

Detection Rules #

View all rules referencing this event →

Sigma #

Role Assignment Created source informational: Creates role assignment.

Elastic #

Azure RBAC Built-In Administrator Roles Assigned source high: Identifies when a user is assigned a built-in administrator role in Azure RBAC (Role-Based Access Control). These roles provide significant privileges and can be abused by attackers for lateral movement, persistence, or privilege escalation. The privileged built-in administrator roles include Owner, Contributor, User Access Administrator, Azure File Sync Administrator, Reservations Administrator, and Role Based Access Control Administrator.

Kusto #

Suspicious granting of permissions to an account source medium: Identifies IPs from which users grant access to other users on Azure resources and alerts when a previously unseen source IP address is used.

References #

Azure resource provider operations reference https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Monitor AzureActivity table schema https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Azure Authorization Azure-Microsoft.Authorization

_catch_all: Azure Authorization (catch-all)

Description

Fields #

References #

Microsoft.Authorization/elevateAccess/action

Description

Fields #

Detection Rules #

Sigma #

References #

Microsoft.Authorization/roleAssignments/write

Description

Fields #

Common Indicators #

Detection Rules #

Sigma #

Elastic #

Kusto #

References #

Keyboard shortcuts

Search operators