Changes To PIM Settings

Detects when changes are made to PIM roles

Sigma rule (View on GitHub)

 1title: Changes To PIM Settings
 2id: db6c06c4-bf3b-421c-aa88-15672b88c743
 3status: test
 4description: Detects when changes are made to PIM roles
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
 7author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
 8date: 2022-08-09
 9tags:
10    - attack.privilege-escalation
11    - attack.persistence
12    - attack.t1078.004
13logsource:
14    product: azure
15    service: auditlogs
16detection:
17    selection:
18        properties.message: Update role setting in PIM
19    condition: selection
20falsepositives:
21    - Legit administrative PIM setting configuration changes
22level: high

References

Related rules

to-top