PIM Approvals And Deny Elevation

Aug 12, 2024 · attack.privilege-escalation attack.t1078.004 ·

Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.

Sigma rule (View on GitHub)

 1title: PIM Approvals And Deny Elevation
 2id: 039a7469-0296-4450-84c0-f6966b16dc6d
 3status: test
 4description: Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
 7author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
 8date: 2022-08-09
 9tags:
10    - attack.privilege-escalation
11    - attack.t1078.004
12logsource:
13    product: azure
14    service: auditlogs
15detection:
16    selection:
17        properties.message: Request Approved/Denied
18    condition: selection
19falsepositives:
20    - Actual admin using PIM.
21level: high

References

Microsoft Entra security operations for Privileged Identity Management - Microsoft Entra

Establish baselines and use Microsoft Entra Privileged Identity Management (PIM) to monitor and alert on issues with accounts governed by PIM.

Read More

PIM Approvals And Deny Elevation

Sigma rule (View on GitHub)

References

Microsoft Entra security operations for Privileged Identity Management - Microsoft Entra

Related rules