Changes To PIM Settings

Aug 12, 2024 · attack.privilege-escalation attack.persistence attack.t1078.004 ·

Detects when changes are made to PIM roles

Sigma rule (View on GitHub)

 1title: Changes To PIM Settings
 2id: db6c06c4-bf3b-421c-aa88-15672b88c743
 3status: test
 4description: Detects when changes are made to PIM roles
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
 7author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
 8date: 2022-08-09
 9tags:
10    - attack.privilege-escalation
11    - attack.persistence
12    - attack.t1078.004
13logsource:
14    product: azure
15    service: auditlogs
16detection:
17    selection:
18        properties.message: Update role setting in PIM
19    condition: selection
20falsepositives:
21    - Legit administrative PIM setting configuration changes
22level: high

References

Microsoft Entra security operations for Privileged Identity Management - Microsoft Entra

Establish baselines and use Microsoft Entra Privileged Identity Management (PIM) to monitor and alert on issues with accounts governed by PIM.

Read More

Changes To PIM Settings

Sigma rule (View on GitHub)

References

Microsoft Entra security operations for Privileged Identity Management - Microsoft Entra

Related rules