Detection rules › Kusto
Privileged Account Permissions Changed
Detects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts. Review any modifications to ensure they were made legitimately. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1078.004 Valid Accounts: Cloud Accounts |
Event coverage
| Provider | Event | Title |
|---|---|---|
| Entra-AuditLogs | _catch_all | Entra ID audit event (any operation) |
Rules detecting the same action
Other rules on this platform that filter on the same API call or operation.
- Admin promotion after Role Management Application Permission Grant (Kusto)
- Bulk Changes to Privileged Account Permissions (Kusto)
- Changes to PIM Settings (Kusto)
- Detect PIM Alert Disabling activity (Kusto)
- Multiple admin membership removals from newly created admin. (Kusto)
- New External User Granted Admin Role (Kusto)
- NRT Privileged Role Assigned Outside PIM (Kusto)
- NRT User added to Microsoft Entra ID Privileged Groups (Kusto)
Rule body kusto
id: 0433c8a3-9aa6-4577-beef-2ea23be41137
name: Privileged Account Permissions Changed
description: |
'Detects changes to permissions assigned to admin users. Threat actors may try and increase permission scope by adding additional roles to already privileged accounts.
Review any modifications to ensure they were made legitimately.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts'
severity: Medium
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
- connectorId: BehaviorAnalytics
dataTypes:
- IdentityInfo
queryFrequency: 1d
queryPeriod: 2d
triggerOperator: gt
triggerThreshold: 0
tactics:
- PrivilegeEscalation
relevantTechniques:
- T1078.004
tags:
- AADSecOpsGuide
query: |
let admin_users = (IdentityInfo
| where TimeGenerated > ago(2d)
| summarize arg_max(TimeGenerated, *) by AccountUPN
| where AssignedRoles contains "admin" or GroupMembership has "Admin"
| summarize by tolower(AccountUPN));
AuditLogs
| where Category =~ "RoleManagement"
| where OperationName has "Add eligible member"
| extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)
| where tolower(TargetUserPrincipalName) in (admin_users)
| extend TargetAadUserId = tostring(TargetResources[0].id)
| extend Group = tostring(TargetResources[0].displayName)
| extend RoleAddedTo = iif(isnotempty(TargetUserPrincipalName), TargetUserPrincipalName, Group)
| extend mod_props = TargetResources[0].modifiedProperties
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend RoleAddedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)
| mv-expand mod_props
| where mod_props.displayName == "Role.DisplayName"
| extend UserAgent = tostring(AdditionalDetails[0].value)
| extend RoleAdded = tostring(parse_json(tostring(mod_props.newValue)))
| extend TargetAccountName = tostring(split(TargetUserPrincipalName, "@")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, "@")[1])
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
| project-reorder TimeGenerated, OperationName, TargetUserPrincipalName, RoleAddedTo, RoleAdded, RoleAddedBy, InitiatingUserPrincipalName, InitiatingAppName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: TargetUserPrincipalName
- identifier: Name
columnName: TargetAccountName
- identifier: UPNSuffix
columnName: TargetAccountUPNSuffix
- entityType: Account
fieldMappings:
- identifier: AadUserId
columnName: TargetAadUserId
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: InitiatingUserPrincipalName
- identifier: Name
columnName: InitiatingAccountName
- identifier: UPNSuffix
columnName: InitiatingAccountUPNSuffix
- entityType: Account
fieldMappings:
- identifier: AadUserId
columnName: InitiatingAadUserId
version: 1.0.7
kind: Scheduled
Stages and Predicates
Let binding: admin_users
let admin_users = (IdentityInfo
| where TimeGenerated > ago(2d)
| summarize arg_max(TimeGenerated, *) by AccountUPN
| where AssignedRoles contains "admin" or GroupMembership has "Admin"
| summarize by tolower(AccountUPN));
Stage 1: source
AuditLogs
Stage 2: where
| where Category =~ "RoleManagement"
Stage 3: where
| where OperationName has "Add eligible member"
Stage 4: extend
| extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)
Stage 5: where
| where tolower(TargetUserPrincipalName) in (admin_users)
References admin_users (defined above).
Stage 6: extend (10 consecutive steps)
| extend TargetAadUserId = tostring(TargetResources[0].id)
| extend Group = tostring(TargetResources[0].displayName)
| extend RoleAddedTo = iif(isnotempty(TargetUserPrincipalName), TargetUserPrincipalName, Group)
| extend mod_props = TargetResources[0].modifiedProperties
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend RoleAddedBy = iif(isnotempty(InitiatingAppName), InitiatingAppName, InitiatingUserPrincipalName)
Stage 7: mv-expand
| mv-expand mod_props
Stage 8: where
| where mod_props.displayName == "Role.DisplayName"
Stage 9: extend (4 consecutive steps)
| extend UserAgent = tostring(AdditionalDetails[0].value)
| extend RoleAdded = tostring(parse_json(tostring(mod_props.newValue)))
| extend TargetAccountName = tostring(split(TargetUserPrincipalName, "@")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, "@")[1])
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
Stage 10: project-reorder
| project-reorder TimeGenerated, OperationName, TargetUserPrincipalName, RoleAddedTo, RoleAdded, RoleAddedBy, InitiatingUserPrincipalName, InitiatingAppName
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Category | eq |
|
OperationName | match |
|
TargetUserPrincipalName | in |
|
displayName | eq |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
TargetUserPrincipalName | extend |
TargetAadUserId | extend |
Group | extend |
RoleAddedTo | extend |
mod_props | extend |
InitiatingAppName | extend |
InitiatingAppServicePrincipalId | extend |
InitiatingUserPrincipalName | extend |
InitiatingAadUserId | extend |
InitiatingIPAddress | extend |
RoleAddedBy | extend |
UserAgent | extend |
RoleAdded | extend |
TargetAccountName | extend |
TargetAccountUPNSuffix | extend |
InitiatingAccountName | extend |
InitiatingAccountUPNSuffix | extend |