[New Rule] Azure RBAC Built-In Administrator Roles Assigned #5113
+112
−1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!-- Thank you for your interest in and contributing to Detection Rules! There are a few simple things to check before submitting your pull request that can help with the review process. You should delete these items from your submission, but they are here to help bring them to your attention. --> # Pull Request *Issue link(s)*: * #5108 <!-- Add Related Issues / PRs for context. Eg: Related to elastic/repo#999 Resolves #123 If there is no issue link, take extra care to write a clear summary and label the PR just as you would label an issue to give additional context to reviewers. --> ## Summary - What I changed Adds a new rule for detecting `Azure RBAC Built-In Administrator Roles Assigned` from Azure Activity Logs. Please se issue for more details. <!-- Summarize your PR. Animated gifs are 💯. Code snippets are ⚡️. Examples & screenshots are 🔥 --> ## How To Test Query can be used in TRADE serverless stack. <!-- Some examples of what you could include here are: * Links to GitHub action results for CI test improvements * Sample data before/after screenshots (or short videos showing how something works) * Copy/pasted commands and output from the testing you did in your local terminal window * If tests run in GitHub, you can 🪁or 🔱, respectively, to indicate tests will run in CI * Query used in your stack to verify the change --> ## Checklist <!-- Delete any items that are not applicable to this PR. --> - [ ] Added a label for the type of pr: `bug`, `enhancement`, `schema`, `maintenance`, `Rule: New`, `Rule: Deprecation`, `Rule: Tuning`, `Hunt: New`, or `Hunt: Tuning` so guidelines can be generated - [ ] Added the `meta:rapid-merge` label if planning to merge within 24 hours - [ ] Secret and sensitive material has been managed correctly - [ ] Automated testing was updated or added to match the most common scenarios - [ ] Documentation and comments were added for features that require explanation ## Contributor checklist - Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement)? - Have you followed the [contributor guidelines](https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md)?
Rule: New - GuidelinesThese guidelines serve as a reminder set of considerations when proposing a new rule. Documentation and Context
Rule Metadata Checks
New BBR Rules
Testing and Validation
|
Aegrah
approved these changes
Sep 16, 2025
Comment on lines
+84
to
+89
| *18d7d88d-d35e-4fb5-a5c3-7773c20a72d9* or | ||
| *f58310d9-a9f6-439a-9e8d-f62e7b41a168* or | ||
| *b24988ac-6180-42a0-ab88-20f7382dd24c* or | ||
| *8e3af657-a8ff-443c-a75c-2fe8c4bcb635* or | ||
| *92b92042-07d9-4307-87f7-36a593fc5850* or | ||
| *a8889054-8d42-49c9-bc1c-52486c10e7cd* |
There was a problem hiding this comment.
These seem kind of expensive due to the starting wildcard. Any way to make it more efficient or is this the only way to capture those IDs?
There was a problem hiding this comment.
Unfortunately no. azure.activitylogs.properties is a nested object itself. KQL allows us to reach into requestbody.properties.roleDefinitionId. I was unable to get the query to match on the initial subscription text. The Role ID itself is located at the end after roleDefinitions
{
"requestbody": "{\"properties\":{\"roleDefinitionId\":\"/subscriptions/159a7b82-6337-44c0-8edb-6a73e1ff5f3f/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9\",\"principalId\":\"80744b0a-4a77-4a3e-9308-aa93e2c7c6db\",\"principalType\":\"User\"}}",
"hierarchy": "fb83355b-3bfe-4849-a3bc-480c7564e41b/159a7b82-6337-44c0-8edb-6a73e1ff5f3f",
"message": "Microsoft.Authorization/roleAssignments/write",
"entity": "/subscriptions/159a7b82-6337-44c0-8edb-6a73e1ff5f3f/providers/Microsoft.Authorization/roleAssignments/92c948dd-1b92-4079-a251-01b723d2f4ef"
}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull Request
Issue link(s):
Summary - What I changed
Adds a new rule for detecting
Azure RBAC Built-In Administrator Roles Assignedfrom Azure Activity Logs. Please se issue for more details.How To Test
Query can be used in TRADE serverless stack.
Checklist
bug,enhancement,schema,maintenance,Rule: New,Rule: Deprecation,Rule: Tuning,Hunt: New, orHunt: Tuningso guidelines can be generatedmeta:rapid-mergelabel if planning to merge within 24 hoursContributor checklist