GitHub Repo

Detection: Azure AD Privileged Role Assigned

Updated Date: 2026-05-13 ID: a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a Author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk Type: TTP Product: Splunk Enterprise Security

Description

The following analytic detects the assignment of privileged Azure Active Directory roles to a user. It leverages Azure AD audit logs, specifically monitoring the "Add member to role" operation. This activity is significant as adversaries may assign privileged roles to compromised accounts to maintain persistence within the Azure AD environment. If confirmed malicious, this could allow attackers to escalate privileges, access sensitive information, and maintain long-term control over the Azure AD infrastructure.

 1`azure_monitor_aad` "operationName"="Add member to role"
 2  
 3| rename properties.* as *
 4  
 5| rename initiatedBy.user.userPrincipalName as initiatedBy
 6  
 7| rename targetResources{}.modifiedProperties{}.newValue as roles
 8  
 9| eval role=mvindex(roles,1)
10  
11| fillnull
12  
13| stats count min(_time) as firstTime max(_time) as lastTime
14    BY dest user src
15       vendor_account vendor_product initiatedBy
16       result role signature
17  
18| lookup privileged_azure_ad_roles azureadrole AS role OUTPUT isprvilegedadrole description
19  
20| search isprvilegedadrole = True
21  
22| `security_content_ctime(firstTime)`
23  
24| `security_content_ctime(lastTime)`
25  
26| `azure_ad_privileged_role_assigned_filter`

Data Source

Name Platform Sourcetype Source
Azure Active Directory Add member to role Azure icon Azure 'azure:monitor:aad' 'Azure AD'

Macros Used

Name Value
security_content_ctime convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)
azure_ad_privileged_role_assigned_filter search *
azure_ad_privileged_role_assigned_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1098.003 Additional Cloud Roles Persistence
Exploitation
Installation
DE.CM
CIS 10

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Finding (Notable) Yes
Rule Title %name%
Rule Description %description%
Notable Event Fields user, dest
Creates Intermediate Finding (Risk Event) Yes
TTP detections generate a Finding (Notable) and may generate Intermediate Findings (Risk Events) for associated entities.

Implementation

You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.

Known False Positives

Administrators will legitimately assign the privileged roles users as part of administrative tasks. Filter as needed.

Associated Analytic Story

Finding

Title Entity Field Entity Type Risk Score
A privileged Azure AD role was assigned for User $user$ initiated by $initiatedBy$ initiatedBy user 50

Intermediate Findings

Message Entity Field Entity Type Risk Score
A privileged Azure AD role was assigned for User $user$ initiated by $initiatedBy$ user user 50

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset Azure AD azure:monitor:aad
Integration ✅ Passing Dataset Azure AD azure:monitor:aad

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 16