[Rule Tuning] Microsoft Entra ID Elevated Access to User Access Administrator (#5107)

terrancedejesus · web-flow · commit bb08af542a9e · 2025-09-22T13:20:58.000-04:00
* updating Azure AD Global Administrator Role Assigned

* removed logic changes as it only effects outside of PIM. Adding a different rule for these

* slight change to query

* tuning rule Microsoft Entra ID Elevated Access to User Access Administrator

* revert changes

* Added operation name to query logic
diff --git a/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml b/rules/integrations/azure/privilege_escalation_entra_id_elevate_to_user_administrator_access.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/05/22"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/05/22"
+updated_date = "2025/09/15"
 
 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -23,7 +23,7 @@ note = """## Triage and Analysis
 
 ### Investigating Microsoft Entra ID Elevated Access to User Access Administrator
 
-This rule identifies when a user elevates their permissions to the "User Access Administrator" role in Microsoft Entra ID (Azure AD). This role allows full control over access management for Azure resources and can be abused by attackers for lateral movement, persistence, or privilege escalation. Since this is a **New Terms** rule, the alert will only trigger if the user has not performed this elevation in the past 14 days, helping reduce alert fatigue.
+This rule identifies when a user elevates their permissions to the "User Access Administrator" role in Azure RBAC. This role allows full control over access management for Azure resources and can be abused by attackers for lateral movement, persistence, or privilege escalation. Since this is a New Terms rule, the alert will only trigger if the user has not performed this elevation in the past 14 days, helping reduce alert fatigue.
 
 ### Possible investigation steps
 
@@ -61,12 +61,14 @@ This rule identifies when a user elevates their permissions to the "User Access
 references = [
     "https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin?tabs=azure-portal%2Centra-audit-logs/",
     "https://permiso.io/blog/azures-apex-permissions-elevate-access-the-logs-security-teams-overlook",
+    "https://www.microsoft.com/en-us/security/blog/2025/08/27/storm-0501s-evolving-techniques-lead-to-cloud-based-ransomware/"
 ]
-risk_score = 47
+risk_score = 73
 rule_id = "8d9c4128-372a-11f0-9d8f-f661ea17fbcd"
-severity = "medium"
+severity = "high"
 tags = [
     "Domain: Cloud",
+    "Domain: Identity",
     "Data Source: Azure",
     "Data Source: Microsoft Entra ID",
     "Data Source: Microsoft Entra ID Audit Logs",
@@ -79,8 +81,10 @@ type = "new_terms"
 
 query = '''
 event.dataset: azure.auditlogs
-    and azure.auditlogs.operation_name: "User has elevated their access to User Access Administrator for their Azure Resources"
-    and event.outcome: "success"
+    and (
+      azure.auditlogs.operation_name: "User has elevated their access to User Access Administrator for their Azure Resources" or
+      azure.auditlogs.properties.additional_details.value: "Microsoft.Authorization/elevateAccess/action"
+    ) and event.outcome: "success"
 '''
 
 
@@ -107,6 +111,6 @@ field = "new_terms_fields"
 value = ["azure.auditlogs.properties.initiated_by.user.userPrincipalName"]
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-14d"
+value = "now-7d"
 
 
