On the SIEM solution (eg. Azure sentinel), i am looking to create a correlation rule that will use the event that gets generated when one of the existing users has been assigned with the 'global admin' privileges. As i do not have any such instances from the past, i am looking for help if any of you have got it. It will help me understand the format of the event, fields etc.