Skip to content

[Rule Tuning] Microsoft 365 Global Administrator Role Assigned #4918

New issue
New issue
Open
Open
[Rule Tuning] Microsoft 365 Global Administrator Role Assigned#4918
Labels
Rule: Tuningtweaking or tuning an existing ruleTeam: TRADEcommunity
@taniumalloy

Description

@taniumalloy
taniumalloy
opened on Jul 18, 2025

Link to Rule

https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml

Rule Tuning Type

Contextual Tuning - Customizing rules based on specific environment factors.

Description

In my environment, the "Add member to role." Azure audit logs include many target types and IDs related to the event context. For example, o365.audit.Target.ID may hold a list of values such as [User_123-12-123-b1-12345, 123-12-123-b1-12345, User, [email protected], 12345678] where [email protected] is the actual user.target.id value (i.e., [email protected] was added to a role). In cases like this, the o365.audit.Target.Type field may hold a list of type integers relating to the target objects such as [2, 2, 2, 5, 3].

The logic in the query prevents the rule from alerting on instances like this due to the and not o365.audit.Target.Type: (4 or 5 or 6) condition. Unless this behavior is intentional, an inclusive match on o365.audit.Target.Type may be a better alternative to ensure coverage.

Example Data

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    Rule: Tuningtweaking or tuning an existing ruleTeam: TRADEcommunity

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions