[Rule Tuning] Microsoft 365 Global Administrator Role Assigned (#5293)

terrancedejesus · web-flow · commit 7dac1ee80389 · 2025-11-11T13:13:07.000-05:00
* [Rule Tuning] Microsoft 365 Global Administrator Role Assigned Fixes #5288 * TOML linted * Update rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml
diff --git a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml
@@ -2,16 +2,16 @@
 creation_date = "2022/01/06"
 integration = ["o365"]
 maturity = "production"
-updated_date = "2025/09/08"
+updated_date = "2025/11/08"
 
 [rule]
 author = ["Elastic"]
 description = """
-In Microsoft Entra ID, permissions to manage resources are assigned using roles. The Global Administrator / Company Administrator
-is a role that enables users to have access to all administrative features in Entra ID and services that use Entra ID
-identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and
-Skype for Business Online. Adversaries can add users as Global Administrators to maintain access and manage all
-subscriptions and their settings and resources.
+Identifies when the Microsoft 365 Global Administrator or Company Administrator role is assigned to a user or service
+principal. The Global Administrator role has extensive privileges across Entra ID and Microsoft 365 services, making it
+a high-value target for adversaries seeking persistent access. Successful assignments of this role may indicate
+potential privilege escalation or unauthorized access attempts, especially if performed by accounts that do not
+typically manage high-privilege roles.
 """
 from = "now-9m"
 index = ["logs-o365.audit-*"]
@@ -51,7 +51,6 @@ The Microsoft 365 Global Administrator role grants comprehensive administrative
 - Limit the number of Global Administrator accounts and enforce role-based access control (RBAC) using least privilege principles.
 - Consider implementing conditional access policies to limit role assignment actions to specific networks, devices, or user groups.
 """
-
 references = [
     "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator",
     "https://learn.microsoft.com/en-us/purview/audit-log-activities",
@@ -63,6 +62,7 @@ severity = "medium"
 tags = [
     "Domain: Cloud",
     "Domain: SaaS",
+    "Domain: Identity",
     "Data Source: Microsoft 365",
     "Data Source: Microsoft 365 Audit Logs",
     "Use Case: Identity and Access Audit",
@@ -82,7 +82,6 @@ event.dataset:o365.audit
     )
     and o365.audit.AzureActiveDirectoryEventType: 1
     and o365.audit.RecordType: 8
-    and not o365.audit.Target.Type: (4 or 5 or 6)
 '''
 
 
