KQL Search

Query Details

HomeAI ToolsDevice Query

RULE 03 Mass Privileged Role Assignments

Query

// Rule    : Azure - Mass Privileged Role Assignments by Single Identity
// Severity: High
// Tactics : PrivilegeEscalation, Persistence
// MITRE   : T1098
// Freq    : PT30M   Period: PT1H
//==========================================================================================

let ExcludedCallerPatterns = dynamic(["ms-pim", "privilegedidentity", "identitygovernance", "aadidentitygovernance"]);
let ReadOnlyRoleIds = dynamic(["acdd72a7-3385-48ef-bd42-f606fba81ae7", "fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64", "72fafb9e-0641-4937-9268-a91bfd8191a3"]);
AzureActivity
| where TimeGenerated > ago(1h)
| where OperationNameValue =~ "MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE"
| where ActivityStatusValue =~ "Success"
| where not(tolower(Caller) has_any (ExcludedCallerPatterns))
| where isnotempty(CallerIpAddress)
| where CallerIpAddress !startswith "168.63."
| extend RoleDefId = tolower(tostring(parse_json(Properties).requestbody.properties.roleDefinitionId))
| where not(RoleDefId has_any (ReadOnlyRoleIds))
| summarize
    AssignmentCount = count(),
    DistinctRoles = dcount(RoleDefId),
    AssignedRoles = make_set(RoleDefId, 10),
    AffectedScopes = make_set(ResourceGroup, 10),
    SourceIPs = make_set(CallerIpAddress, 5),
    CallerIP = any(CallerIpAddress),
    FirstAssignment = min(TimeGenerated),
    LastAssignment = max(TimeGenerated)
    by Caller, SubscriptionId, bin(TimeGenerated, 30m)
| where AssignmentCount >= 5
| extend
    AccountName = tostring(split(Caller, "@")[0]),
    AccountUPNSuffix = tostring(split(Caller, "@")[1])

Explanation

This query is designed to detect suspicious activity in Azure, specifically when a single user makes multiple privileged role assignments within a short period. Here's a simplified breakdown:

  1. Purpose: The query identifies cases where a single identity (user) assigns multiple privileged roles in Azure within a one-hour window. This could indicate potential privilege escalation or persistence tactics, which are concerning from a security perspective.

  2. Exclusions: It excludes certain automated or system accounts (like those related to Azure's Privileged Identity Management) and read-only roles from consideration.

  3. Time Frame: It looks at activities that occurred in the last hour.

  4. Activity Filter: It focuses on successful role assignment operations and excludes those originating from specific IP addresses (e.g., Azure's internal IPs).

  5. Data Collection: For each user, it collects:

    • The number of role assignments made.
    • The distinct roles assigned.
    • The scopes (resource groups) affected.
    • The source IP addresses used.
    • The time of the first and last assignment within the period.

  6. Alert Condition: It flags cases where a user makes five or more role assignments within a 30-minute window.

  7. Output: For each flagged case, it provides details like the user's account name, the domain part of their email, and other summarized data about the role assignments.

This query helps security teams quickly identify and investigate potential misuse of privileged roles in Azure.

Details

David Alonso profile picture

David Alonso

Released: March 12, 2026

Tables

AzureActivity

Keywords

AzureActivityRoleAssignmentsCallerSubscriptionResourceGroupAccountNameAccountUPNSuffixCallerIPAddressTimeGeneratedProperties

Operators

letdynamicAzureActivity|where>ago=~nottolowerhas_anyisnotempty!startswithextendtostringparse_jsonsummarizecountdcountmake_setanyminmaxbybin>=split

Actions