Merge pull request #11727 from Azure/v-prasadboke-entraid

Added new Analytic rule to the Solution 'AzureRBAC'

Author: v-prasadboke

Solutions/Microsoft Entra ID/Analytic Rules/AzureRBAC.yaml

@@ -0,0 +1,58 @@
+id: 132fdff4-c044-4855-a390-c1b71e0f833b
+name: Azure RBAC (Elevate Access)
+kind: Scheduled
+description: |
+  'Detects when a Global Administrator elevates access to all subscriptions and management groups in a tenant. When a Global Administrator elevates access they are assigned the User Access Administrator role at root scope. This Microsoft Sentinel Analytic Rule monitors who has elevated access in your tenant so that admins can take appropriate action. [Learn more](https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal)'
+severity: High
+requiredDataConnectors:
+  - connectorId: AzureActiveDirectory
+    dataTypes:
+      - AuditLogs
+queryFrequency: 2h
+queryPeriod: 2h
+triggerOperator: GreaterThan
+triggerThreshold: 0
+tactics:
+  - PrivilegeEscalation
+relevantTechniques: 
+  - T1078
+enabled: true
+query: |
+  AuditLogs
+  | where Category =~ "AzureRBACRoleManagementElevateAccess"
+  | where ActivityDisplayName =~ "User has elevated their access to User Access Administrator for their Azure Resources"
+  | extend Actor = tostring(InitiatedBy.user.userPrincipalName)
+  | extend IPAddress = tostring(InitiatedBy.user.ipAddress) 
+  | project
+      TimeGenerated,
+      Actor,
+      OperationName,
+      IPAddress,
+      Result,
+      LoggedByService
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: Actor
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address 
+        columnName: IPAddress
+suppressionDuration: PT5H
+suppressionEnabled: false
+alertRuleTemplateName: null
+incidentConfiguration: 
+  createIncident: true
+  groupingConfiguration: 
+    enabled: false
+    reopenClosedIncident: false
+    lookbackDuration: PT5H
+    matchingMethod: AllEntities
+    groupByEntities: []
+    groupByAlertDetails: []
+    groupByCustomDetails: []
+eventGroupingSettings:
+  aggregationKind: SingleAlert
+version: 1.0.0 
+ 

Solutions/Microsoft Entra ID/Data/Solution_AAD.json

@@ -73,7 +73,8 @@
 		"Solutions/Microsoft Entra ID/Analytic Rules/UserAccounts-CABlockedSigninSpikes.yaml",
 		"Solutions/Microsoft Entra ID/Analytic Rules/UseraddedtoPrivilgedGroups.yaml",
 		"Solutions/Microsoft Entra ID/Analytic Rules/UserAssignedNewPrivilegedRole.yaml",
-		"Solutions/Microsoft Entra ID/Analytic Rules/UserAssignedPrivilegedRole.yaml"
+		"Solutions/Microsoft Entra ID/Analytic Rules/UserAssignedPrivilegedRole.yaml",
+		"Solutions/Microsoft Entra ID/Analytic Rules/AzureRBAC.yaml"
 
 	],
 	"Playbooks": [
@@ -90,7 +91,7 @@
 		"Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json"
 	],
 	"BasePath": "C:\\GitHub\\Azure-Sentinel",
-	"Version": "3.2.10",
+	"Version": "3.3.0",
 	"Metadata": "SolutionMetadata.json",
 	"TemplateSpec": true,
 	"StaticDataConnectorIds": [

Solutions/Microsoft Entra ID/Package/3.3.0.zip

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/MicrosoftEntraID_logo.svg\"width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Entra%20ID/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis)  solution for Microsoft Sentinel enables you to ingest Microsoft Entra ID [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.\n\n**Data Connectors:** 1, **Workbooks:** 2, **Analytic Rules:** 63, **Playbooks:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/MicrosoftEntraID_logo.svg\"width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Entra%20ID/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis)  solution for Microsoft Sentinel enables you to ingest Microsoft Entra ID [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.\n\n**Data Connectors:** 1, **Workbooks:** 2, **Analytic Rules:** 64, **Playbooks:** 11\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -1038,6 +1038,20 @@
                 }
               }
             ]
+          },
+          {
+            "name": "analytic64",
+            "type": "Microsoft.Common.Section",
+            "label": "Azure RBAC (Elevate Access)",
+            "elements": [
+              {
+                "name": "analytic64-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Detects when a Global Administrator elevates access to all subscriptions and management groups in a tenant. When a Global Administrator elevates access they are assigned the User Access Administrator role at root scope. This Microsoft Sentinel Analytic Rule monitors who has elevated access in your tenant so that admins can take appropriate action. [Learn more](https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal)"
+                }
+              }
+            ]
           }
         ]
       },