From 9b366d505aa74655457926b52bccbdbe181a70f1 Mon Sep 17 00:00:00 2001
From: developutm <development@utmstack.com>
Date: Fri, 12 Jun 2026 18:36:20 +0000
Subject: [PATCH] feat(rules/o365): add Admin Role Assignment detection rule

---
 .../office365/o365-admin-role-assignment.yml  | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 rules/office365/o365-admin-role-assignment.yml

diff --git a/rules/office365/o365-admin-role-assignment.yml b/rules/office365/o365-admin-role-assignment.yml
new file mode 100644
index 000000000..546ee0ae9
--- /dev/null
+++ b/rules/office365/o365-admin-role-assignment.yml
@@ -0,0 +1,23 @@
+# Rule version v1.0.0
+
+name: O365 Admin Role Assignment
+description: |
+  Detects when an administrator assigns privileged roles, adds members to admin groups,
+  or grants delegated/app role permissions in Azure Active Directory. This activity can
+  indicate account compromise or insider threat where an attacker escalates privileges
+  to maintain persistence within the tenant.
+category: "Persistence"
+technique: "T1136 - Create Account"
+references:
+  - "https://attack.mitre.org/techniques/T1136/"
+dataTypes:
+  - o365
+adversary: origin
+impact:
+  confidentiality: 2
+  integrity: 3
+  availability: 0
+where: equals("log.Workload", "AzureActiveDirectory") && oneOf("action", ["Add member to group.", "Add delegated permission grant.", "Add app role assignment grant to user."])
+groupBy:
+  - adversary.user
+  - lastEvent.log.ObjectId