Changes To PIM Settings

Oct 23, 2025 · attack.initial-access attack.defense-evasion attack.privilege-escalation attack.persistence attack.t1078.004 ·

Share on:

Detects when changes are made to PIM roles

Sigma rule (View on GitHub)

 1title: Changes To PIM Settings
 2id: db6c06c4-bf3b-421c-aa88-15672b88c743
 3status: test
 4description: Detects when changes are made to PIM roles
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
 7author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
 8date: 2022-08-09
 9tags:
10    - attack.initial-access
11    - attack.defense-evasion
12    - attack.privilege-escalation
13    - attack.persistence
14    - attack.t1078.004
15logsource:
16    product: azure
17    service: auditlogs
18detection:
19    selection:
20        properties.message: Update role setting in PIM
21    condition: selection
22falsepositives:
23    - Legit administrative PIM setting configuration changes
24level: high

References

Microsoft Entra security operations for Privileged Identity Management - Microsoft Entra

Establish baselines and use Microsoft Entra Privileged Identity Management (PIM) to monitor and alert on issues with accounts governed by PIM.

Read More

Changes To PIM Settings

Sigma rule (View on GitHub)

References

Microsoft Entra security operations for Privileged Identity Management - Microsoft Entra

Related rules