Azure Privilege Escalation Using an Application

Cortex XDR Analytics Alert Reference by data source

Product: Cortex XDR
Last date published: 2026-06-15
Category: Analytics Alert Reference
Index by: data source

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	5 Hours
Deduplication Period	1 Day
Required Data	Requires: Azure Audit Log Requires: AzureAD Requires: AzureAD Audit Log Requires: Microsoft Graph Logs Requires: Office 365 Audit Requires: Okta Requires: Okta Audit Log Requires one of the following data sources: Palo Alto Networks Firewall EAL Logs OR Palo Alto Networks Firewall threat Logs Requires one of the following data sources: Palo Alto Networks Global Protect OR Third-Party VPNs Requires: XDR Agent Requires: XDR Agent with eXtended Threat Hunting (XTH)
Detection Modules	Identity Threat Module
Detector Tags
ATT&CK Tactic	Privilege Escalation (TA0004)
ATT&CK Technique	Abuse Elevation Control Mechanism (T1548)
Severity	Medium

Description

An Azure application was observed assigning an Azure administrator role to a user. This might indicate a privilege escalation attempt.

Attacker's Goals

An attacker may add additional roles or permissions to an attacker controlled cloud account to maintain persistent access to a tenant.

Investigative actions

Check if the affected account is new to the organization.
Check whether the application that added the account to the role is permitted to perform such actions.
Check what can be affected by the assigned role
Follow further actions done by the account that was added to the role.