PIM Approvals And Deny Elevation
Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.
Sigma rule (View on GitHub)
1title: PIM Approvals And Deny Elevation
2id: 039a7469-0296-4450-84c0-f6966b16dc6d
3status: test
4description: Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.
5references:
6 - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment
7author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
8date: 2022/08/09
9tags:
10 - attack.privilege_escalation
11 - attack.t1078.004
12logsource:
13 product: azure
14 service: auditlogs
15detection:
16 selection:
17 properties.message: Request Approved/Denied
18 condition: selection
19falsepositives:
20 - Actual admin using PIM.
21level: high
References
-
Establish baselines and use Microsoft Entra Privileged Identity Management (PIM) to monitor and alert on issues with accounts governed by PIM.
Read More
Related rules
- Application AppID Uri Configuration Changes
- Application URI Configuration Changes
- Changes To PIM Settings
- Privileged Account Creation
- User Added To Privilege Role