Sensitive Azure RBAC added on Management Group level
Azure Rbac Assignment Management Group
Query
let SensitiveRoles = dynamic(['Owner', 'User Access Administrator']);
CloudAppEvents
| where Application == 'Microsoft Azure' and ObjectId contains "/providers/Microsoft.Management"
| extend authorization = parse_json(tostring(parse_json(tostring(RawEventData.authorization))))
| where authorization.action == "Microsoft.Authorization/roleAssignments/write"
| extend AzureActivityId = parse_json(tostring(RawEventData)).ActivityId
| extend ClientIPAddress = parse_json(tostring(RawEventData.httpRequest)).clientIpAddress
| extend RoleAssignment = parse_json(tostring(parse_json(tostring(RawEventData.authorization)).evidence))
| extend AccountUpn = parse_json(tostring(RawEventData.claims)).["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"]
// Trigger alert if only sensitive role has been assigned
| extend RoleName = parse_json(tostring(RoleAssignment)).role
| extend RoleScope = parse_json(tostring(RoleAssignment)).roleAssignmentScope
| where RoleName in (SensitiveRoles)
| project TimeGenerated, ActionType, AccountUpn, AccountDisplayName, AccountObjectId, ClientIPAddress, RoleName, RoleScope, RoleAssignmentExplanation
This query is designed to monitor and alert when sensitive Azure Role-Based Access Control (RBAC) roles, specifically "Owner" or "User Access Administrator," are assigned at the Management Group level in Microsoft Azure. Here's a simple breakdown:
- Purpose: To identify and alert on the assignment of sensitive roles at a high level within Azure, which could indicate potential security risks.
- Severity: The alert is considered to have a medium level of severity.
- Frequency: The query runs every 4 hours and looks back over the last 4 hours of data.
- Trigger: An alert is triggered if any such role assignment is detected (i.e., more than 0 occurrences).
- Tactics and Techniques: It relates to tactics like Initial Access and Credential Access, and techniques such as T1078 (Valid Accounts) and T1110 (Brute Force).
- Query Details:
- It filters events from Azure where a role assignment action is performed at the Management Group level.
- It checks if the role assigned is one of the sensitive roles ("Owner" or "User Access Administrator").
- If such a role is assigned, it captures details like the time of the event, the type of action, the user involved, their IP address, and the scope of the role assignment.
- Entity Mappings: The query maps relevant data to entities like Account, IP, and AzureResource to provide context in alerts.
- Version: The query is at version 1.2.0 and is scheduled to run automatically.
In essence, this query helps in maintaining security by ensuring that any potentially risky role assignments at a high level in Azure are promptly identified and investigated.
