PIM Approvals And Deny Elevation

Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.

Sigma rule (View on GitHub)

 1title: PIM Approvals And Deny Elevation
 2id: 039a7469-0296-4450-84c0-f6966b16dc6d
 3status: test
 4description: Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
 7author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
 8date: 2022-08-09
 9tags:
10    - attack.privilege-escalation
11    - attack.t1078.004
12logsource:
13    product: azure
14    service: auditlogs
15detection:
16    selection:
17        properties.message: Request Approved/Denied
18    condition: selection
19falsepositives:
20    - Actual admin using PIM.
21level: high

References

Related rules

to-top