question

Venkatesh-2192 avatar image
0 Votes"
Venkatesh-2192 asked ·

Looking for a sample event that triggers when one of the existing users has been assigned with "global admin privilege" in office 365

On the SIEM solution (eg. Azure sentinel), i am looking to create a correlation rule that will use the event that gets generated when one of the existing users has been assigned with the 'global admin' privileges. As i do not have any such instances from the past, i am looking for help if any of you have got it. It will help me understand the format of the event, fields etc.

azure-sentinel
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

SaurabhSharma-msft avatar image
0 Votes"
SaurabhSharma-msft answered ·

You can use event query from Analytics blade to create a Rule which will trigger an Incident if any user gets assigned a Global Administrator (Company administrator) role from Office 365 portal.

9870-sentinel-analytics.png

Please find below the event rule which you can use on Azure AD Audit logs -

 AuditLogs 
 | where Category == "RoleManagement" 
   and OperationName == "Add member to role"
   and Identity == "Microsoft Office 365 Portal" 
   and AADOperationType == "Assign"
   and TargetResources[0].modifiedProperties[1].newValue contains "Company Administrator"

Once this rule is run Sentinel will display incidents under "Incidents" blade which you can further investigate. You can also modify the above query and the event rule to display only relevant information.
9828-sentinel-incident.png




·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.