Risky Sign-in with ElevateAccess

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

---

Looks for users who had a risky sign in (based on Entra ID Identity Protection risk score) and then performed and ElevateAccess action. ElevateAccess operations can be used by Global Admins to obtain permissions over Azure resources.

Attribute	Value
Type	Hunting Query
Solution	GitHub Only
ID	158b565b-411b-4dec-81de-2d2bcaf0c34c
Tactics	PrivilegeEscalation
Required Connectors	MicrosoftThreatProtection
Source	[View on GitHub](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/Microsoft%20365%20Defender/Privilege%20escalation/riskySignInToElevateAccess.yaml)

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Hunting Queries