[Rule Tuning] Azure AD Global Administrator Role Assigned (#5090)

* updating Azure AD Global Administrator Role Assigned

* removed logic changes as it only effects outside of PIM. Adding a different rule for these

* slight change to query

* tuning severity

* Update rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml

Co-authored-by: Mika Ayenson, PhD <[email protected]>

* Update rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml

* Update rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml

---------

Co-authored-by: Mika Ayenson, PhD <[email protected]>

Author: terrancedejesus

rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml

@@ -2,39 +2,38 @@
 creation_date = "2022/01/06"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/09/11"
 
 [rule]
 author = ["Elastic"]
 description = """
-In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator
-is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD
+In Microsoft Entra ID, permissions to manage resources are assigned using roles. The Global Administrator
+is a role that enables users to have access to all administrative features in Microsoft Entra ID and services that use Microsoft Entra ID
 identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and
 Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all
-subscriptions and their settings and resources.
+subscriptions and their settings and resources. They can also elevate privilege to User Access Administrator to pivot into Azure resources.
 """
-from = "now-25m"
-index = ["filebeat-*", "logs-azure*"]
+from = "now-9m"
+index = ["filebeat-*", "logs-azure.auditlogs-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Azure AD Global Administrator Role Assigned"
+name = "Entra ID Global Administrator Role Assigned"
 note = """## Triage and analysis
 
-> **Disclaimer**:
-> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+### Investigating Entra ID Global Administrator Role Assigned
 
-### Investigating Azure AD Global Administrator Role Assigned
-
-Azure AD's Global Administrator role grants comprehensive access to manage Azure AD and associated services. Adversaries may exploit this by assigning themselves or others to this role, ensuring persistent control over resources. The detection rule identifies such unauthorized assignments by monitoring specific audit logs for role changes, focusing on the addition of members to the Global Administrator role, thus helping to mitigate potential security breaches.
+Microsoft Entra ID's Global Administrator role grants comprehensive access to manage Microsoft Entra ID and associated services. Adversaries may exploit this by assigning themselves or others to this role, ensuring persistent control over resources. The detection rule identifies such unauthorized assignments by monitoring specific audit logs for role changes, focusing on the addition of members to the Global Administrator role, thus helping to mitigate potential security breaches.
 
 ### Possible investigation steps
 
-- Review the Azure audit logs to identify the user account that performed the "Add member to role" operation, focusing on the specific event dataset and operation name.
+- Review the Microsoft Entra ID audit logs to identify the user account that performed the "Add member to role" operation, focusing on the specific event dataset and operation name.
 - Verify the identity of the user added to the Global Administrator role by examining the modified properties in the audit logs, specifically the new_value field indicating "Global Administrator".
 - Check the history of role assignments for the identified user to determine if this is a recurring pattern or a one-time event.
 - Investigate the source IP address and location associated with the role assignment event to assess if it aligns with expected user behavior or if it indicates potential unauthorized access.
 - Review any recent changes or activities performed by the newly assigned Global Administrator to identify any suspicious actions or configurations that may have been altered.
 - Consult with the organization's IT or security team to confirm if the role assignment was authorized and aligns with current administrative needs or projects.
+- Correlate with Microsoft Entra ID sign-in logs to check for any unusual login patterns or failed login attempts associated with the user who assigned the role.
+- Review the reported device to determine if it is a known and trusted device or if it raises any security concerns such as unexpected relationships with the source user.
 
 ### False positive analysis
 
@@ -52,24 +51,33 @@ Azure AD's Global Administrator role grants comprehensive access to manage Azure
 - Implement conditional access policies to restrict Global Administrator role assignments to specific, trusted locations or devices.
 - Review and update role assignment policies to ensure that only a limited number of trusted personnel have the ability to assign Global Administrator roles.
 - Enhance monitoring and alerting mechanisms to detect similar unauthorized role assignments in the future, ensuring timely response to potential threats.
-
-## Setup
-
-The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+"""
 references = [
+    "https://securitylabs.datadoghq.com/articles/i-spy-escalating-to-entra-id-global-admin/",
     "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator",
+    "https://www.microsoft.com/en-us/security/blog/2025/08/27/storm-0501s-evolving-techniques-lead-to-cloud-based-ransomware/"
 ]
-risk_score = 47
+risk_score = 73
 rule_id = "04c5a96f-19c5-44fd-9571-a0b033f9086f"
-severity = "medium"
-tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide"]
+severity = "high"
+tags = [
+    "Domain: Cloud",
+    "Domain: Identity",
+    "Data Source: Azure",
+    "Data Source: Microsoft Entra ID",
+    "Data Source: Microsoft Entra ID Audit Logs",
+    "Use Case: Identity and Access Audit",
+    "Tactic: Persistence",
+    "Resources: Investigation Guide"
+]
 timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and
-azure.auditlogs.operation_name:"Add member to role" and
-azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:"\"Global Administrator\""
+event.dataset:azure.auditlogs and
+    azure.auditlogs.properties.category:RoleManagement and
+    azure.auditlogs.operation_name:"Add member to role" and
+    azure.auditlogs.properties.target_resources.*.modified_properties.*.new_value: "\"Global Administrator\""
 '''