diff --git a/rules/office365/o365-admin-role-assignment.yml b/rules/office365/o365-admin-role-assignment.yml index 546ee0ae9..01710379d 100644 --- a/rules/office365/o365-admin-role-assignment.yml +++ b/rules/office365/o365-admin-role-assignment.yml @@ -17,7 +17,8 @@ impact: confidentiality: 2 integrity: 3 availability: 0 -where: equals("log.Workload", "AzureActiveDirectory") && oneOf("action", ["Add member to group.", "Add delegated permission grant.", "Add app role assignment grant to user."]) +where: equals("log.Workload", "AzureActiveDirectory") && oneOf("action", ["Add member to group.", "Add delegated permission grant.", "Add member to role."]) && + equals("actionResult", "Success") groupBy: - adversary.user - lastEvent.log.ObjectId diff --git a/rules/office365/o365_admin_role_assignment.yml b/rules/office365/o365_admin_role_assignment.yml deleted file mode 100644 index baece5b46..000000000 --- a/rules/office365/o365_admin_role_assignment.yml +++ /dev/null @@ -1,33 +0,0 @@ -# Rule version v1.0.0 - -dataTypes: - - o365 -name: Office 365 Global Admin Role Assignment -impact: - confidentiality: 3 - integrity: 3 - availability: 2 -category: Privilege Escalation -technique: "T1098 - Account Manipulation" -adversary: origin -references: - - https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference - - https://attack.mitre.org/techniques/T1098/ -description: | - Detects assignment of high-privilege administrative roles in Office 365, particularly Global Administrator, Exchange Administrator, and SharePoint Administrator. These roles provide extensive control over the tenant and are high-value targets for persistence. - - Next Steps: - 1. Verify the role assignment was authorized through proper governance - 2. Review the specific role being assigned and the target user - 3. Check if the assigning administrator's account shows signs of compromise - 4. Verify the role assignment follows the principle of least privilege - 5. Review the target user's recent activities post-assignment - 6. If unauthorized, immediately remove the role assignment - 7. Implement Privileged Identity Management (PIM) for just-in-time access - 8. Enable alerts on all privileged role modifications -where: | - oneOf("action", ["Add member to role.", "Add eligible member to role in PIM requested (permanent)."]) && - equals("actionResult", "Success") -groupBy: - - adversary.user - - target.user