Multiple Azure AD admin role removals

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

3 Hours

Deduplication Period

1 Day

Required Data

  • Requires:
    • AzureAD Audit Log

Detection Modules

Identity Threat Module

Detector Tags

ATT&CK Tactic

Impact (TA0040)

ATT&CK Technique

Account Access Removal (T1531)

Severity

Low

Description

An Azure AD identity removed multiple administrators from their roles.

Attacker's Goals

An attacker may want to lock out an organization and retain sole access.

Investigative actions

  • Check if the identity performing the actions was authorized to perform them.
  • Check what roles the users were removed from.
  • Check whether the identity is a newly added admin.
  • Check if the identity is operating in its usual matter (location, time, operations)
  • Check if the identity performed additional operations in the cloud environment that might be malicious.