Changes To PIM Settings
Detects when changes are made to PIM roles
Sigma rule (View on GitHub)
1title: Changes To PIM Settings
2id: db6c06c4-bf3b-421c-aa88-15672b88c743
3status: test
4description: Detects when changes are made to PIM roles
5references:
6 - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment
7author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
8date: 2022/08/09
9tags:
10 - attack.privilege_escalation
11 - attack.persistence
12 - attack.t1078.004
13logsource:
14 product: azure
15 service: auditlogs
16detection:
17 selection:
18 properties.message: Update role setting in PIM
19 condition: selection
20falsepositives:
21 - Legit administrative PIM setting configuration changes
22level: high
References
-
Establish baselines and use Microsoft Entra Privileged Identity Management (PIM) to monitor and alert on issues with accounts governed by PIM.
Read More
Related rules
- Application AppID Uri Configuration Changes
- Application URI Configuration Changes
- Privileged Account Creation
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS