M365 SharePoint Site Administrator Added

Last updated 16 days ago on 2026-03-02

Created 16 days ago on 2026-03-02

About

Identifies when a new SharePoint Site Administrator is added in Microsoft 365. Site Administrators have full control over SharePoint Sites, including the ability to manage permissions, access all content, and modify site settings. Adversaries who compromise a privileged account may add themselves or a controlled account as a Site Administrator to maintain persistent, high-privilege access to sensitive SharePoint data. This technique was notably observed in the 0mega ransomware campaign, where attackers elevated privileges to exfiltrate data and deploy ransom notes across SharePoint sites.

Tags

Domain: CloudDomain: SaaSDomain: IdentityData Source: Microsoft 365Data Source: Microsoft 365 Audit LogsUse Case: Identity and Access AuditTactic: Privilege EscalationTactic: PersistenceLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Privilege Escalation (TA0004)(external, opens in a new tab or window)

↳ Account Manipulation (T1098)(external, opens in a new tab or window)

Persistence (TA0003)(external, opens in a new tab or window)

↳ Account Manipulation (T1098)(external, opens in a new tab or window)

False Positive Examples

Legitimate IT administrators adding Site admins as part of routine SharePoint site management.Automated provisioning tools or scripts that assign Site admin roles during site creation workflows.Organizational restructuring where site ownership is being transferred to new administrators.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-o365.audit-*
Related Integrations: o365(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗event.dataset:o365.audit
    and event.provider:(SharePoint or OneDrive)
    and event.category:web
    and event.action:SiteCollectionAdminAdded
    and event.outcome:success

Install detection rules in Elastic Security

Detect M365 SharePoint Site Administrator Added in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).