Looking for a sample event that triggers when one of the existing users has been assigned with "global admin privilege" in office 365

asked 2020-06-11T11:03:17.133+00:00
Venkatesh 31 Reputation points

On the SIEM solution (eg. Azure sentinel), i am looking to create a correlation rule that will use the event that gets generated when one of the existing users has been assigned with the 'global admin' privileges. As i do not have any such instances from the past, i am looking for help if any of you have got it. It will help me understand the format of the event, fields etc.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
604 questions
No comments
{count} votes

Accepted answer
  1. answered 2020-06-12T19:50:21.487+00:00
    Saurabh Sharma 17,291 Reputation points Microsoft Employee

    You can use event query from Analytics blade to create a Rule which will trigger an Incident if any user gets assigned a Global Administrator (Company administrator) role from Office 365 portal.

    9870-sentinel-analytics.png

    Please find below the event rule which you can use on Azure AD Audit logs -

    AuditLogs   
    | where Category == "RoleManagement"   
      and OperationName == "Add member to role"  
      and Identity == "Microsoft Office 365 Portal"   
      and AADOperationType == "Assign"  
      and TargetResources[0].modifiedProperties[1].newValue contains "Company Administrator"  
    

    Once this rule is run Sentinel will display incidents under "Incidents" blade which you can further investigate. You can also modify the above query and the event rule to display only relevant information.
    9828-sentinel-incident.png

    No comments

0 additional answers

Sort by: Most helpful