Suspicious modification of Global Administrator user properties

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

This query will detect if user properties of Global Administrator are updated by an existing user. Usually only user administrator or other global administrator can update such properties. Investigate if such user change is an attempt to elevate an existing low privileged identity or rogue administrator activity

Attribute	Value
Type	Analytic Rule
Solution	Standalone Content
ID	48602a24-67cf-4362-b258-3f4249e55def
Severity	Medium
Kind	Scheduled
Tactics	PrivilegeEscalation
Techniques	T1078.004
Required Connectors	AzureActiveDirectory, BehaviorAnalytics
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
AuditLogs	OperationName == "Update user"	✓	✗	?
IdentityInfo		✓	✗	?

Associated Connectors

The following connectors provide data for this content item:

Connector	Solution
AzureActiveDirectory	Microsoft Entra ID

Solutions: Microsoft Entra ID

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Analytic Rules