Query Details

Sensitive Azure RBAC added on Management Group level

Azure Rbac Assignment Management Group

Query

let SensitiveRoles = dynamic(['Owner', 'User Access Administrator']);
CloudAppEvents
| where Application == 'Microsoft Azure' and ObjectId contains "/providers/Microsoft.Management"
| extend authorization = parse_json(tostring(parse_json(tostring(RawEventData.authorization))))
| where authorization.action == "Microsoft.Authorization/roleAssignments/write"
| extend AzureActivityId = parse_json(tostring(RawEventData)).ActivityId
| extend ClientIPAddress = parse_json(tostring(RawEventData.httpRequest)).clientIpAddress
| extend RoleAssignment = parse_json(tostring(parse_json(tostring(RawEventData.authorization)).evidence))
| extend AccountUpn = parse_json(tostring(RawEventData.claims)).["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"]
// Trigger alert if only sensitive role has been assigned
| extend RoleName = parse_json(tostring(RoleAssignment)).role
| extend RoleScope = parse_json(tostring(RoleAssignment)).roleAssignmentScope
| where RoleName in (SensitiveRoles)
| project TimeGenerated, ActionType, AccountUpn,  AccountDisplayName, AccountObjectId, ClientIPAddress, RoleName, RoleScope, RoleAssignment

Explanation

This query is designed to monitor and alert when sensitive Azure Role-Based Access Control (RBAC) roles, specifically "Owner" or "User Access Administrator," are assigned at the Management Group level in Microsoft Azure. Here's a simple breakdown:

  • Purpose: To identify and alert on the assignment of sensitive roles at a high level within Azure, which could indicate potential security risks.
  • Severity: The alert is considered to have a medium level of severity.
  • Frequency: The query runs every 4 hours and looks back over the last 4 hours of data.
  • Trigger: An alert is triggered if any such role assignment is detected (i.e., more than 0 occurrences).
  • Tactics and Techniques: It relates to tactics like Initial Access and Credential Access, and techniques such as T1078 (Valid Accounts) and T1110 (Brute Force).
  • Query Details:
    • It filters events from Azure where a role assignment action is performed at the Management Group level.
    • It checks if the role assigned is one of the sensitive roles ("Owner" or "User Access Administrator").
    • If such a role is assigned, it captures details like the time of the event, the type of action, the user involved, their IP address, and the scope of the role assignment.
  • Entity Mappings: The query maps relevant data to entities like Account, IP, and AzureResource to provide context in alerts.
  • Version: The query is at version 1.2.0 and is scheduled to run automatically.

In essence, this query helps in maintaining security by ensuring that any potentially risky role assignments at a high level in Azure are promptly identified and investigated.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: February 9, 2024

Tables

CloudAppEvents

Keywords

AzureRBACManagementGroupRoleAccountIPResource

Operators

letdynamiccontainsextendparse_jsontostringwhereinproject

Severity

Medium

Tactics

InitialAccessCredentialAccess

MITRE Techniques

Frequency: 4h

Period: 4h

Actions

GitHub