Skip to content

[Rule Tuning] Microsoft 365 Global Administrator Role Assigned #5293

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Nov 11, 2025
Merged

[Rule Tuning] Microsoft 365 Global Administrator Role Assigned #5293

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
5515f6b
[Rule Tuning] Microsoft 365 Global Administrator Role Assigned
terrancedejesus Nov 8, 2025
63ee788
TOML linted
terrancedejesus Nov 10, 2025
e708a96
Update rules/integrations/o365/persistence_microsoft_365_global_admin…
terrancedejesus Nov 10, 2025
4cddfff
Merge branch 'main' into terrancedejesus/issue5288
terrancedejesus Nov 10, 2025
5d2dbe7
Merge branch 'main' into terrancedejesus/issue5288
terrancedejesus Nov 10, 2025
09820cd
Merge branch 'main' into terrancedejesus/issue5288
terrancedejesus Nov 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 7 additions & 8 deletions rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,16 +2,16 @@
creation_date = "2022/01/06"
integration = ["o365"]
maturity = "production"
updated_date = "2025/09/08"
updated_date = "2025/11/08"

[rule]
author = ["Elastic"]
description = """
In Microsoft Entra ID, permissions to manage resources are assigned using roles. The Global Administrator / Company Administrator
is a role that enables users to have access to all administrative features in Entra ID and services that use Entra ID
identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and
Skype for Business Online. Adversaries can add users as Global Administrators to maintain access and manage all
subscriptions and their settings and resources.
Identifies when the Microsoft 365 Global Administrator or Company Administrator role is assigned to a user or service
principal. The Global Administrator role has extensive privileges across Entra ID and Microsoft 365 services, making it
a high-value target for adversaries seeking persistent access. Successful assignments of this role may indicate
potential privilege escalation or unauthorized access attempts, especially if performed by accounts that do not
typically manage high-privilege roles.
"""
from = "now-9m"
index = ["logs-o365.audit-*"]
Expand Down Expand Up @@ -51,7 +51,6 @@ The Microsoft 365 Global Administrator role grants comprehensive administrative
- Limit the number of Global Administrator accounts and enforce role-based access control (RBAC) using least privilege principles.
- Consider implementing conditional access policies to limit role assignment actions to specific networks, devices, or user groups.
"""

references = [
"https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator",
"https://learn.microsoft.com/en-us/purview/audit-log-activities",
Expand All @@ -63,6 +62,7 @@ severity = "medium"
tags = [
"Domain: Cloud",
"Domain: SaaS",
"Domain: Identity",
"Data Source: Microsoft 365",
"Data Source: Microsoft 365 Audit Logs",
"Use Case: Identity and Access Audit",
Expand All @@ -82,7 +82,6 @@ event.dataset:o365.audit
)
and o365.audit.AzureActiveDirectoryEventType: 1
and o365.audit.RecordType: 8
and not o365.audit.Target.Type: (4 or 5 or 6)
'''


Expand Down
Loading