Add O365 rule: Admin Role Assignment

[developutm]

Changes

Adds a new O365 correlation rule o365-admin-role-assignment.yml that detects when an administrator assigns privileged roles, adds members to admin groups, or grants delegated/app role permissions in Azure Active Directory.

Reasoning

Privilege escalation via role/permission grants in Azure AD is a high-fidelity persistence technique. Attackers who compromise an account with directory write permissions commonly grant themselves (or a backdoor account) elevated roles or OAuth app permissions to maintain access even if the initial entry vector is closed. Detecting these grants in near real time lets SOC teams catch persistence setup before it is exercised.

Issue Reference

N/A

[github-actions]

❌ Go dependencies check failed

There are outdated Go dependencies, or modules that could not be inspected.
Run bash .github/scripts/go-deps.sh --update --discover locally and
commit the updated go.mod / go.sum files.

Script output

🔍 Discovered 25 Go projects

📦 Dependencies with updates available:

  📁 ./agent:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - golang.org/x/sys: v0.45.0 → v0.46.0

  📁 ./as400/updater:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./as400:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./utmstack-collector:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/inputs:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/sophos:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/alerts:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/gcp:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - google.golang.org/api: v0.282.0 → v0.284.0

  📁 ./plugins/geolocation:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/crowdstrike:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/bitdefender:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/config:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/azure:
     - github.com/Azure/azure-sdk-for-go/sdk/azcore: v1.21.1 → v1.22.0
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/modules-config:
     - github.com/aws/aws-sdk-go-v2/config: v1.32.18 → v1.32.25
     - github.com/aws/aws-sdk-go-v2/credentials: v1.19.17 → v1.19.24
     - github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs: v1.74.0 → v1.75.2
     - github.com/aws/aws-sdk-go-v2/service/sts: v1.42.1 → v1.43.3
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - golang.org/x/sync: v0.20.0 → v0.21.0
     - google.golang.org/api: v0.282.0 → v0.284.0

  📁 ./plugins/aws:
     - github.com/aws/aws-sdk-go-v2: v1.41.7 → v1.42.0
     - github.com/aws/aws-sdk-go-v2/config: v1.32.18 → v1.32.25
     - github.com/aws/aws-sdk-go-v2/credentials: v1.19.17 → v1.19.24
     - github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs: v1.74.0 → v1.75.2
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/soc-ai:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/feeds:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - golang.org/x/sync: v0.20.0 → v0.21.0

  📁 ./plugins/events:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/o365:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/stats:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./agent-manager:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

�[0;31m❌ Please update dependencies before merging.�[0m

[github-actions]

⚠️ AI review — Changes requested

One or more prompts found issues the author should fix before merging. Details below.

✅ architecture (gemini-3-flash-lite) — Tier 1 — looks clean

Summary: Addition of a new detection rule in YAML format; no architectural impact detected.

No findings.

⚠️ bugs (gemini-3-flash-lite) — Tier 2 — changes requested

Summary: Detected a typo in the technique description and a potential logic error in the rule filter.

• medium rules/office365/o365-admin-role-assignment.yml:10 — Typo in technique description: 'T1136 - Create Account' is technically correct for the MITRE ID, but the description for T1136 is 'Create Account'. However, the rule logic targets role assignments, which aligns more closely with 'T1098 - Account Manipulation'. If keeping T1136, ensure the description matches the MITRE standard.
• high rules/office365/o365-admin-role-assignment.yml:20 — Potential logic error: The 'where' clause uses 'action' as a field, but based on the 'groupBy' clause, the log structure likely requires 'log.Operation' or 'log.Action'. Verify if 'action' is a valid top-level field or if it should be prefixed with 'log.' to match the 'log.Workload' pattern.

✅ security (gemini-3-flash-lite) — Tier 1 — looks clean

Summary: The PR introduces a new detection rule for Office 365 admin role assignments; no security vulnerabilities or information disclosures identified.

No findings.

[utmstackprapprover]

Changes requested — see approver comments above.