CHAIN-184 — Activity Log alerts missing on IAM writes¶
Summary
Severity: High · Likelihood: High · Logic: ALL
Why this chain matters¶
No Activity Log alert is configured for Microsoft.Authorization/roleAssignments/write. When an attacker grants themselves Owner on a resource group, SOC has no real-time alert — the change lives in the log but nobody's watching.
Component rules¶
This chain fires when its trigger conditions are met by the following rules. Click any rule to see its detection logic and compliance mappings.
| Rule ID | Role |
|---|---|
zt_vis_021 |
Trigger |
zt_vis_001 |
Trigger |
Attack walkthrough¶
Step 1 — Grant self Owner via role assignment.¶
Actor: Attacker
MITRE ATT&CK: T1098
Enabled by: zt_vis_021
Attacker gain: Owner role without trigger.
Step 2 — Operate freely; evidence lives in log but never alerts.¶
Actor: Attacker
MITRE ATT&CK: T1562
Enabled by: zt_vis_001
Attacker gain: Silent privilege escalation.
Blast radius¶
| Initial access | Contributor / UAA. |
| Max privilege | Owner via self-grant. |
| Data at risk | IAM integrity |
| Services at risk | Azure RBAC |
How the logic works¶
The chain fires only when every rule above has at least one finding in the current scan. Missing any one rule breaks the chain — so remediating any single step disrupts the attack path.