Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Identifies actors who perform three or more Entra ID directory role assignments within a ten-minute window, consistent with automated post-compromise persistence. Results are enriched with the actor's most recent sign-in country for analyst triage. Adjust the threshold variable for environments with routine bulk provisioning workflows. References: - https://learn.microsoft.com/azure/active-directory/roles/permissions-reference - https://learn.microsoft.com/azure/active-directory/reports-monitori
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | Standalone Content |
| ID | 8d2cc40f-f0e0-49bf-8983-164f7be3975d |
| Tactics | Persistence, PrivilegeEscalation |
| Techniques | T1098.003 |
| Required Connectors | AzureActiveDirectory |
| Source | [View on GitHub](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/MultipleDataSources/BulkRoleAssignmentsInShortWindow.yaml) |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊