PIM Approvals And Deny Elevation

Oct 23, 2025 · attack.persistence attack.initial-access attack.defense-evasion attack.privilege-escalation attack.t1078.004 ·

Share on:

Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.

Sigma rule (View on GitHub)

 1title: PIM Approvals And Deny Elevation
 2id: 039a7469-0296-4450-84c0-f6966b16dc6d
 3status: test
 4description: Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
 7author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
 8date: 2022-08-09
 9tags:
10    - attack.persistence
11    - attack.initial-access
12    - attack.defense-evasion
13    - attack.privilege-escalation
14    - attack.t1078.004
15logsource:
16    product: azure
17    service: auditlogs
18detection:
19    selection:
20        properties.message: Request Approved/Denied
21    condition: selection
22falsepositives:
23    - Actual admin using PIM.
24level: high

References

Microsoft Entra security operations for Privileged Identity Management - Microsoft Entra

Establish baselines and use Microsoft Entra Privileged Identity Management (PIM) to monitor and alert on issues with accounts governed by PIM.

Read More

PIM Approvals And Deny Elevation

Sigma rule (View on GitHub)

References

Microsoft Entra security operations for Privileged Identity Management - Microsoft Entra

Related rules