Is there a Panther-managed detection to identify elevated admin access in Microsoft 365 logs? If not, how can I create a custom detection rule in Panther to achieve this?
Currently, there's no Panther-managed detection for elevated admin access in Microsoft 365 logs.
To create a custom detection for this alert, you can use the "Operation" field from the Microsoft365.Audit.AzureActiveDirectory schema. The value "Add member to role" should indicate elevated admin access. Panther's schema also includes this field:
name: Operation
required: true
description: The name of the user or admin activity.
type: string
If you require further assistance with creating this custom detection, please reach out to Panther Support.