From 5515f6b73885988a9b7eaaf76fdae326a0f44eb1 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Sat, 8 Nov 2025 10:20:38 -0500 Subject: [PATCH 1/3] [Rule Tuning] Microsoft 365 Global Administrator Role Assigned Fixes #5288 --- ...microsoft_365_global_administrator_role_assign.toml | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml index 46e3a33ef4b..81661fcdeab 100644 --- a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml +++ b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml @@ -2,16 +2,12 @@ creation_date = "2022/01/06" integration = ["o365"] maturity = "production" -updated_date = "2025/09/08" +updated_date = "2025/11/08" [rule] author = ["Elastic"] description = """ -In Microsoft Entra ID, permissions to manage resources are assigned using roles. The Global Administrator / Company Administrator -is a role that enables users to have access to all administrative features in Entra ID and services that use Entra ID -identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and -Skype for Business Online. Adversaries can add users as Global Administrators to maintain access and manage all -subscriptions and their settings and resources. +Identifies when the Microsoft 365 Global Administrator or Company Administrator role is assigned to a user or service principal. The Global Administrator role has extensive privileges across Entra ID and Microsoft 365 services, making it a high-value target for adversaries seeking persistent access. Successful assignments of this role may indicate potential privilege escalation or unauthorized access attempts, especially if performed by accounts that do not typically manage high-privilege roles. """ from = "now-9m" index = ["logs-o365.audit-*"] @@ -63,6 +59,7 @@ severity = "medium" tags = [ "Domain: Cloud", "Domain: SaaS", + "Domain: Identity", "Data Source: Microsoft 365", "Data Source: Microsoft 365 Audit Logs", "Use Case: Identity and Access Audit", @@ -82,7 +79,6 @@ event.dataset:o365.audit ) and o365.audit.AzureActiveDirectoryEventType: 1 and o365.audit.RecordType: 8 - and not o365.audit.Target.Type: (4 or 5 or 6) ''' From 63ee7883d3994bb6fdd077433fa7005598cc7b2a Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Mon, 10 Nov 2025 08:56:26 -0500 Subject: [PATCH 2/3] TOML linted --- ...e_microsoft_365_global_administrator_role_assign.toml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml index 81661fcdeab..270cd7c1a49 100644 --- a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml +++ b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml @@ -7,7 +7,11 @@ updated_date = "2025/11/08" [rule] author = ["Elastic"] description = """ -Identifies when the Microsoft 365 Global Administrator or Company Administrator role is assigned to a user or service principal. The Global Administrator role has extensive privileges across Entra ID and Microsoft 365 services, making it a high-value target for adversaries seeking persistent access. Successful assignments of this role may indicate potential privilege escalation or unauthorized access attempts, especially if performed by accounts that do not typically manage high-privilege roles. +Identifies when the Microsoft 365 Global Administrator or Company Administrator role is assigned to a user or service +principal. The Global Administrator role has extensive privileges across Entra ID and Microsoft 365 services, making it +a high-value target for adversaries seeking persistent access. Successful assignments of this role may indicate +potential privilege escalation or unauthorized access attempts, especially if performed by accounts that do not +typically manage high-privilege roles. """ from = "now-9m" index = ["logs-o365.audit-*"] @@ -47,11 +51,10 @@ The Microsoft 365 Global Administrator role grants comprehensive administrative - Limit the number of Global Administrator accounts and enforce role-based access control (RBAC) using least privilege principles. - Consider implementing conditional access policies to limit role assignment actions to specific networks, devices, or user groups. """ - references = [ "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator", "https://learn.microsoft.com/en-us/purview/audit-log-activities", - "https://www.blackhat.com/us-24/briefings/schedule/#unoauthorized-a-technique-to-privilege-escalation-to-global-administrator-39231" + "https://www.blackhat.com/us-24/briefings/schedule/#unoauthorized-a-technique-to-privilege-escalation-to-global-administrator-39231", ] risk_score = 47 rule_id = "88671231-6626-4e1b-abb7-6e361a171fbb" From e708a969465eac79e1d95e9636fc9cb1491cd605 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Mon, 10 Nov 2025 08:57:12 -0500 Subject: [PATCH 3/3] Update rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml --- ...sistence_microsoft_365_global_administrator_role_assign.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml index 270cd7c1a49..0308d454a64 100644 --- a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml +++ b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml @@ -54,7 +54,7 @@ The Microsoft 365 Global Administrator role grants comprehensive administrative references = [ "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator", "https://learn.microsoft.com/en-us/purview/audit-log-activities", - "https://www.blackhat.com/us-24/briefings/schedule/#unoauthorized-a-technique-to-privilege-escalation-to-global-administrator-39231", + "https://www.blackhat.com/us-24/briefings/schedule/#unoauthorized-a-technique-to-privilege-escalation-to-global-administrator-39231" ] risk_score = 47 rule_id = "88671231-6626-4e1b-abb7-6e361a171fbb"