Detection rules › YARA-L
Entra ID Recently Created User Assigned an Entra ID Role
Detect users who are newly created and then immediately assigned administrator level roles
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1098.003 Account Manipulation: Additional Cloud Roles |
References
Event coverage
Rule body yaral
/*
* Copyright 2025 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
rule entra_id_recently_created_user_assigned_entra_id_roles {
meta:
author = "Google Cloud Security"
description = "Detect users who are newly created and then immediately assigned administrator level roles"
rule_id = "mr_ab6067cd-b8a0-49f7-9efb-8a9b3b096a49"
rule_name = "Entra ID Recently Created User Assigned an Entra ID Role"
tactic = "TA0003"
technique = "T1098.003"
assumption = "The list msgraph_watchlist_roles_guid is popualted with admin role guids, ie 62e90394-69f5-4237-9190-012177145e10"
reference = "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference"
type = "alert"
platform = "azure"
data_source = "azure ad"
severity = "High"
priority = "High"
events:
(
$create.metadata.event_type = "USER_CREATION" and
$create.metadata.product_event_type = "Add user" and
$create.metadata.product_name = "Azure AD Directory Audit" and
$create.metadata.vendor_name = "Microsoft" and
$create.security_result.action = "ALLOW" and
$create.principal.user.userid = $principal_userid and
$create.target.user.userid = $target_userid
)
$create.metadata.event_timestamp.seconds < $role.metadata.event_timestamp.seconds
(
$role.metadata.event_type = "USER_CHANGE_PERMISSIONS" and
$role.metadata.product_event_type = "Add member to role" and
$role.metadata.product_name = "Azure AD Directory Audit" and
$role.metadata.vendor_name = "Microsoft" and
$role.security_result.action = "ALLOW" and
//To detect on specific roles, they can be added to a reference list and the following line uncommented
//$role.target.resource.attribute.labels["Role.Role.TemplateId"] in %msgraph_watchlist_roles_guid and
$role.principal.user.userid = $principal_userid and
re.replace($role.target.user.userid, `@.*$`, "") = $target_userid
)
match:
$principal_userid, $target_userid over 30m
outcome:
$risk_score = 85
$principal_county_region = array_distinct(strings.concat($create.principal.location.city," ",$create.principal.location.state," ",$create.principal.location.country_or_region))
$assigned_role = array_distinct($role.target.user.title)
$assigned_role_guid = array_distinct($role.target.resource.attribute.labels["Role.TemplateId"])
condition:
$create and $role
}
Detection logic
Fires when at least one $create event in the 30m window and at least one $role event in the 30m window.
Events
$create
metadata.product_event_type = "Add user"security_result.action = "ALLOW"
$re.replace()
$role
metadata.product_event_type = "Add member to role"security_result.action = "ALLOW"
Correlation
Outcome
Fields the detection emits on a match. $risk_score drives alerting; Chronicle surfaces the rest on the detection.
| Field | Expression |
|---|---|
risk_score | 85 |
principal_county_region | array_distinct(strings.concat($create.principal.location.city," ",$create.principal.location.state," ",$create.principal.location.country_or_region)) |
assigned_role | array_distinct($role.target.user.title) |
assigned_role_guid | array_distinct($role.target.resource.attribute.labels["Role.TemplateId"]) |