Last reviewed:
Sigma rule outputs from CloudSigma rendered into Sentinel queries against the Entra ID Audit schema. Every rule is mapped to MITRE ATT&CK and validated against its dialect.
| Technique | Rule | Severity | Log source |
|---|---|---|---|
| T1078.004 | Valid Accounts: Cloud Accounts on Entra ID Audit | medium | Entra ID Audit |
| T1098 | Account Manipulation on Entra ID Audit | medium | Entra ID Audit |
| T1098 | Account Manipulation on Entra ID Audit | medium | Entra ID Audit |
| T1098 | Account Manipulation on Entra ID Audit | medium | Entra ID Audit |
| T1528 | Steal Application Access Token on Entra ID Audit | medium | Entra ID Audit |
Entra ID Privileged Role Assignment, generated by CloudSigma and validated against the Sentinel dialect.
title: Entra ID Privileged Role Assignment
id: 444fbbdb-07dd-49da-897b-2a97ad54b9e7
status: test
description: >
Detects assignment of privileged directory roles in Entra ID such as
Global Administrator or Privileged Role Administrator. Attackers may
escalate privileges by assigning admin roles to compromised accounts.
author: CloudSigma
date: 2026-02-09
references:
- https://attack.mitre.org/techniques/T1098/
- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1098
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.operationType: Add
properties.targetResources[].type: Role
selection_privileged:
properties.targetResources[].displayName|contains:
- Global Administrator
- Privileged Role Administrator
- Application Administrator
- Exchange Administrator
condition: selection and selection_privileged
falsepositives:
- Legitimate Privileged Identity Management (PIM) activations
- IT team onboarding new global administrators
level: critical