SIEM × Platform · Sentinel · Azure Activity

Sentinel detections for Azure Activity

Sigma rule outputs from CloudSigma rendered into Sentinel queries against the Azure Activity schema. Every rule is mapped to MITRE ATT&CK and validated against its dialect.

01 Coverage at a glance
20
Production rules
20
ATT&CK techniques
8
ATT&CK tactics
Sentinel
Output dialect
02 Rule index
Technique Rule Severity Log source
T1040 Network Sniffing on Azure Activity medium Azure Activity
T1059 Command and Scripting Interpreter on Azure Activity medium Azure Activity
T1078 Valid Accounts on Azure Activity medium Azure Activity
T1078.004 Valid Accounts: Cloud Accounts on Azure Activity medium Azure Activity
T1098 Account Manipulation on Azure Activity medium Azure Activity
T1098.001 Account Manipulation: Additional Cloud Credentials on Azure Activity medium Azure Activity
T1110 Brute Force on Azure Activity medium Azure Activity
T1190 Exploit Public-Facing Application on Azure Activity medium Azure Activity
T1485 Data Destruction on Azure Activity medium Azure Activity
T1486 Data Encrypted for Impact on Azure Activity medium Azure Activity
T1491 Defacement on Azure Activity medium Azure Activity
T1496 Resource Hijacking on Azure Activity medium Azure Activity
T1498 Network Denial of Service on Azure Activity medium Azure Activity
T1525 Implant Internal Image on Azure Activity medium Azure Activity
T1530 Data from Cloud Storage Object on Azure Activity medium Azure Activity
T1552.001 Unsecured Credentials: Credentials In Files on Azure Activity medium Azure Activity
T1562 Impair Defenses on Azure Activity medium Azure Activity
T1562.001 Impair Defenses: Disable or Modify Tools on Azure Activity medium Azure Activity
T1562.007 Impair Defenses: Disable or Modify Cloud Firewall on Azure Activity medium Azure Activity
T1562.008 Impair Defenses: Disable Cloud Logs on Azure Activity medium Azure Activity
03 Example rule

Azure High-Privilege Role Assignment via Activity Log, generated by CloudSigma and validated against the Sentinel dialect.

L1 · experimental, tune before deploy verified 2026-04-24 · sha256:95dfb0da896e1939 manifest → Verify in CloudSigma →

This rule is currently experimental. CloudSigma generated it from upstream threat intelligence; before enabling in production, tune the falsepositives section in your SIEM against your environment's known automation, service accounts and IP allowlist.

Sigma rule · CloudSigma Sentinel · Azure Activity · 2026-04-24 
title: Azure High-Privilege Role Assignment via Activity Log
id: 9c5d3e6f-7a8b-4c0d-1e2f-3a4b5c6d7e8f
status: experimental
description: >
    Detects assignment of high-privilege Azure RBAC roles (Owner,
    Contributor, User Access Administrator, Role Based Access Control
    Administrator) to any principal at subscription, management group
    or resource scope. Adversaries with stolen cloud credentials
    routinely escalate by granting themselves these roles before
    pivoting to data, identity or network resources. The rule
    explicitly targets the Activity Log table where roleAssignments/
    write events land — earlier versions of this rule incorrectly
    referenced Microsoft.AAD/SignInLogs/write, which is not an Activity
    Log operation.
author: CloudSigma
date: 2026-04-24
references:
    - https://attack.mitre.org/techniques/T1078/004/
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
    - https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log-schema
tags:
    - attack.privilege-escalation
    - attack.t1078.004
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName.value: Microsoft.Authorization/roleAssignments/write
        status.value: Succeeded
    selection_high_privilege_role:
        properties.requestbody|contains:
            - 8e3af657-a8ff-443c-a75c-2fe8c4bcb635   # Owner
            - b24988ac-6180-42a0-ab88-20f7382dd24c   # Contributor
            - 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9   # User Access Administrator
            - f58310d9-a9f6-439a-9e8d-f62e7b41a168   # Role Based Access Control Administrator
    condition: selection and selection_high_privilege_role
falsepositives:
    - Landing-zone bootstrap or new-subscription onboarding granting Owner to platform automation
    - Privileged Identity Management (PIM) eligible-role activation by an approved admin
    - Break-glass account elevation during a documented incident
fields:
    - caller
    - operationName.value
    - properties.requestbody
    - resourceId
    - resultType
level: high
← Back to Sigma library
Sources
  • Sigma project, https://github.com/SigmaHQ/sigma
  • Sentinel documentation, https://docs.sentinel.com/
Last verified: 2026-04-24