Add O365 rule: Admin Role/Permission Granted

[developutm]

Changes

Adds a new O365 correlation rule that detects when an admin role or elevated permission is granted to a user in Office 365 / Azure Active Directory.

Reasoning

Granting admin roles is one of the strongest indicators of either legitimate privileged operations or active persistence by an adversary. Because the cleanest event () is not consistently emitted in the data we observe, we anchor on plus a probe that captures user-type elevations. This keeps the rule actionable today and can be tightened later once the canonical event is available.

Issue Reference

N/A

[github-actions]

❌ Go dependencies check failed

There are outdated Go dependencies, or modules that could not be inspected.
Run bash .github/scripts/go-deps.sh --update --discover locally and
commit the updated go.mod / go.sum files.

Script output

🔍 Discovered 25 Go projects

📦 Dependencies with updates available:

  📁 ./agent:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26
     - golang.org/x/sys: v0.45.0 → v0.46.0

  📁 ./as400/updater:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26

  📁 ./as400:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26

  📁 ./utmstack-collector:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26

  📁 ./plugins/inputs:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26

  📁 ./plugins/sophos:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26

  📁 ./plugins/alerts:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26

  📁 ./plugins/gcp:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26
     - google.golang.org/api: v0.282.0 → v0.284.0

  📁 ./plugins/geolocation:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26

  📁 ./plugins/crowdstrike:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26

  📁 ./plugins/bitdefender:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26

  📁 ./plugins/config:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26

  📁 ./plugins/azure:
     - github.com/Azure/azure-sdk-for-go/sdk/azcore: v1.21.1 → v1.22.0
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26

  📁 ./plugins/modules-config:
     - github.com/aws/aws-sdk-go-v2/config: v1.32.18 → v1.32.25
     - github.com/aws/aws-sdk-go-v2/credentials: v1.19.17 → v1.19.24
     - github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs: v1.74.0 → v1.75.2
     - github.com/aws/aws-sdk-go-v2/service/sts: v1.42.1 → v1.43.3
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26
     - golang.org/x/sync: v0.20.0 → v0.21.0
     - google.golang.org/api: v0.282.0 → v0.284.0

  📁 ./plugins/aws:
     - github.com/aws/aws-sdk-go-v2: v1.41.7 → v1.42.0
     - github.com/aws/aws-sdk-go-v2/config: v1.32.18 → v1.32.25
     - github.com/aws/aws-sdk-go-v2/credentials: v1.19.17 → v1.19.24
     - github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs: v1.74.0 → v1.75.2
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26

  📁 ./plugins/soc-ai:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26

  📁 ./plugins/feeds:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26
     - golang.org/x/sync: v0.20.0 → v0.21.0

  📁 ./plugins/events:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26

  📁 ./plugins/o365:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26

  📁 ./plugins/stats:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26

  📁 ./agent-manager:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.26

�[0;31m❌ Please update dependencies before merging.�[0m

[github-actions]

⚠️ AI review — Changes requested

One or more prompts found issues the author should fix before merging. Details below.

✅ architecture (gemini-3-flash-lite) — Tier 1 — looks clean

Summary: New detection rule added; no architectural changes or service coupling detected.

No findings.

⚠️ bugs (gemini-3-flash-lite) — Tier 2 — changes requested

Summary: Detected a typo in the rule description and a potential logic issue with the proxy signal.

• medium rules/office365/o365-admin-role-granted.yml:6 — Typo: 'Azure Active Directory' is often referred to as 'Microsoft Entra ID' in modern documentation, but specifically, ensure the description is accurate. Additionally, check for consistency in terminology.
• medium rules/office365/o365-admin-role-granted.yml:23 — Potential logic bug: The 'where' clause uses 'contains' on 'log.ModifiedProperties'. If 'log.ModifiedProperties' is a structured JSON object rather than a string, 'contains' may fail or behave unexpectedly depending on the engine implementation.

✅ security (gemini-3-flash-lite) — Tier 1 — looks clean

Summary: New detection rule added for Office 365 admin role changes; no vulnerabilities or information disclosure identified.

No findings.

[utmstackprapprover]

Changes requested — see approver comments above.