Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This query detects when newly created Global admin removes multiple existing global admins which can be an attempt by adversaries to lock down organization and retain sole access. Investigate reasoning and intention of multiple membership removal by new Global admins and take necessary actions accordingly.
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Microsoft Entra ID |
| ID | cda5928c-2c1e-4575-9dfa-07568bc27a4f |
| Severity | Medium |
| Status | Available |
| Kind | Scheduled |
| Tactics | Impact |
| Techniques | T1531 |
| Required Connectors | AzureActiveDirectory |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
AuditLogs |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊