Query Details
Write Classic Administrators Of Az Subscription
Query
id: 9899789c-2f82-4560-9539-90396c264f3a
name: Suspicious assignment of (classic) administrator roles
description: |
'Detection of writing authorization information as part of Azure classic administrator roles (ASM).'
severity: Medium
requiredDataConnectors:
- connectorId: AzureActivity
dataTypes:
- AzureActivity
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
- PrivilegeEscalation
relevantTechniques:
- T1098
query: |
let timeRange = 1d;
let szOperationNames = dynamic(["MICROSOFT.AUTHORIZATION/CLASSICADMINISTRATORS/WRITE", "MICROSOFT.AUTHORIZATION/CLASSICADMINISTRATORS/DELETE"]);
AzureActivity
| where OperationNameValue in~ (szOperationNames) and ActivityStatusValue == "Success"
| project timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.1
kind: ScheduledExplanation
This query is designed to detect suspicious activity related to the assignment of Azure classic administrator roles. It looks for instances where authorization information is being written as part of these roles. The severity of this activity is considered medium. The query uses the AzureActivity data connector and is run once a day. It checks for specific operation names and activity status to identify relevant events. The tactics involved in this query are Persistence and Privilege Escalation. The relevant technique is T1098. The query also captures the timestamp, account, and IP address associated with the suspicious activity.
Details
Thomas Naunheim
Released: August 23, 2023
Tables
AzureActivity
Keywords
AzureActivity,OperationNameValue,ActivityStatusValue,Success,TimeGenerated,Caller,CallerIpAddress,IP,Address
Operators
letdynamicwherein~and==project