Query Details
Elevated G Afor Azure Management
Query
id: 185fd95d-19b1-4494-bd6f-f2695a280f2f
name: Elevated Access management for Azure resources by Global Admin
description: |
'Azure AD and Azure resources are secured independently from one another. That is, Azure AD role assignments do not grant access to Azure resources, and Azure role assignments do not grant access to Azure AD. However, if you are a Global Administrator in Azure AD, you can assign yourself access to all Azure subscriptions and management groups in your directory.'
severity: Medium
queryFrequency: 4h
queryPeriod: 4h
triggerOperator: gt
triggerThreshold: 0
tactics:
- PrivilegeEscalation
relevantTechniques:
- T1078
- T1110
query: |
CloudAppEvents
| where ApplicationId == '12260'and Application == 'Microsoft Azure'
| where parse_json(tostring(parse_json(tostring(RawEventData.authorization)).evidence)).roleDefinitionId == "b21f0835cd464e508cf8e297ff563cb1"
| where RawEventData.operationName == "Microsoft.Authorization/elevateAccess/action"
| where parse_json(tostring(parse_json(tostring(RawEventData.authorization)).evidence)).roleAssignmentScope == "/"
| where parse_json(tostring(parse_json(tostring(RawEventData.authorization)).evidence)).roleAssignmentId == "b507cd211c194747a82e1c2e8584c6da"
| extend ClientIPAddress = parse_json(tostring(RawEventData.httpRequest)).clientIpAddress
| extend RoleAssignmentScope = parse_json(tostring(parse_json(tostring(RawEventData.authorization)).evidence)).roleAssignmentScope
| extend RoleAssignmentId = parse_json(tostring(parse_json(tostring(RawEventData.authorization)).evidence)).roleAssignmentId
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountDisplayName
- identifier: AadUserId
columnName: AccountObjectId
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPAddress
version: 1.0.0
Explanation
This query is used to monitor and detect elevated access management for Azure resources by Global Administrators. It checks for specific events related to Azure AD role assignments and Azure resource access. The query filters events based on the application ID and name, role definition ID, operation name, role assignment scope, and role assignment ID. It also extracts additional information such as client IP address. The query is run every 4 hours and has a severity level of medium. The relevant techniques for this query are Privilege Escalation (T1078) and Account Manipulation (T1110).
Details
Thomas Naunheim
Released: August 23, 2023
Tables
CloudAppEvents
Keywords
CloudAppEvents,ApplicationId,Application,RawEventData,authorization,evidence,roleDefinitionId,operationName,roleAssignmentScope,roleAssignmentId,ClientIPAddress,httpRequest,Account,FullName,AccountDisplayName,AadUserId,AccountObjectId,IP,Address,IPAddress
Operators
where==andparse_jsontostringextend