Skip to main content
Panther Knowledge Base

Is there a Panther managed detection to identify elevated admin access in Microsoft 365 logs?

  1. Last updated
  2. Save as PDF

QUESTION

Is there a Panther-managed detection to identify elevated admin access in Microsoft 365 logs? If not, how can I create a custom detection rule in Panther to achieve this?

ANSWER

Currently, there's no Panther-managed detection for elevated admin access in Microsoft 365 logs.

To create a custom detection for this alert, you can use the "Operation" field from the Microsoft365.Audit.AzureActiveDirectory schema. The value "Add member to role" should indicate elevated admin access. Panther's schema also includes this field:

name: Operation
required: true
description: The name of the user or admin activity.
type: string

If you require further assistance with creating this custom detection, please reach out to Panther Support.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
  2. Tags
    This page has no tags.