Service Principal Assigned Privileged Role

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

Detects a privileged role being added to a Service Principal. Ensure that any assignment to a Service Principal is valid and appropriate - Service Principals should not be assigned to very highly privileged roles such as Global Admin. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts

Attribute	Value
Type	Analytic Rule
Solution	Standalone Content
ID	84cccc86-5c11-4b3a-aca6-7c8f738ed0f7
Severity	Medium
Kind	Scheduled
Tactics	PrivilegeEscalation
Techniques	T1078.004
Required Connectors	AzureActiveDirectory
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
AuditLogs	OperationName has_all "member to role"	✓	✗	?

Associated Connectors

The following connectors provide data for this content item:

Connector	Solution
AzureActiveDirectory	Microsoft Entra ID

Solutions: Microsoft Entra ID

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Analytic Rules