Query Details

Elevated Access management for Azure resources by Global Admin

Elevated G Afor Azure Management

Query

CloudAppEvents
| where ApplicationId == '12260'and Application == 'Microsoft Azure'
| where parse_json(tostring(parse_json(tostring(RawEventData.authorization)).evidence)).roleDefinitionId == "b21f0835cd464e508cf8e297ff563cb1"
| where RawEventData.operationName == "Microsoft.Authorization/elevateAccess/action"
| where parse_json(tostring(parse_json(tostring(RawEventData.authorization)).evidence)).roleAssignmentScope == "/"
| where parse_json(tostring(parse_json(tostring(RawEventData.authorization)).evidence)).roleAssignmentId == "b507cd211c194747a82e1c2e8584c6da"
| extend ClientIPAddress = parse_json(tostring(RawEventData.httpRequest)).clientIpAddress
| extend RoleAssignmentScope = parse_json(tostring(parse_json(tostring(RawEventData.authorization)).evidence)).roleAssignmentScope
| extend RoleAssignmentId = parse_json(tostring(parse_json(tostring(RawEventData.authorization)).evidence)).roleAssignmentId

Explanation

This query is designed to monitor and detect when a Global Administrator in Azure Active Directory (Azure AD) elevates their access to manage Azure resources. Here's a simplified breakdown of what the query does:

  1. Purpose: The query checks for instances where a Global Administrator in Azure AD assigns themselves elevated access to all Azure subscriptions and management groups within their directory. This is a potential security concern because Azure AD and Azure resources are typically secured independently.

  2. Severity: The severity level of this query is marked as "Medium," indicating a moderate level of concern if such activity is detected.

  3. Frequency: The query runs every 4 hours to check for any new instances of elevated access.

  4. Detection Logic:

    • It looks for events in the CloudAppEvents table where the application is 'Microsoft Azure' and the specific operation is "Microsoft.Authorization/elevateAccess/action."
    • It checks if the role definition and assignment IDs match specific values that indicate elevated access.
    • It extracts the client IP address and role assignment details for further analysis.
  5. Tactics and Techniques: The query is associated with the "Privilege Escalation" tactic and maps to techniques T1078 (Valid Accounts) and T1110 (Brute Force).

  6. Entity Mappings: The query maps detected events to account and IP entities, allowing for further investigation of the user and IP address involved.

In summary, this query helps identify when a Global Administrator in Azure AD elevates their access to manage Azure resources, which could indicate a potential security risk or misuse of privileges.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: February 9, 2024

Tables

CloudAppEvents

Keywords

AzureADResourcesGlobalAdministratorSubscriptionsManagementGroupsDirectoryCloudAppEventsApplicationIdApplicationRawEventDataAuthorizationEvidenceRoleDefinitionIdOperationNameClientIPAddressRoleAssignmentScopeRoleAssignmentIdAccountFullNameAccountDisplayNameAadUserIdAccountObjectIdIPAddressIPAddress

Operators

whereandparse_jsontostringextend

Severity

Medium

Tactics

PrivilegeEscalation

MITRE Techniques

Frequency: 4h

Period: 4h

Actions

GitHub