Stale Accounts In A Privileged Role

Oct 23, 2025 · attack.initial-access attack.defense-evasion attack.t1078 attack.persistence attack.privilege-escalation ·

Share on:

Identifies when an account hasn't signed in during the past n number of days.

Sigma rule (View on GitHub)

 1title: Stale Accounts In A Privileged Role
 2id: e402c26a-267a-45bd-9615-bd9ceda6da85
 3status: test
 4description: Identifies when an account hasn't signed in during the past n number of days.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role
 7author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
 8date: 2023-09-14
 9tags:
10    - attack.initial-access
11    - attack.defense-evasion
12    - attack.t1078
13    - attack.persistence
14    - attack.privilege-escalation
15logsource:
16    product: azure
17    service: pim
18detection:
19    selection:
20        riskEventType: 'staleSignInAlertIncident'
21    condition: selection
22falsepositives:
23    - Investigate if potential generic account that cannot be removed.
24level: high

References

Security alerts for Microsoft Entra roles in PIM - Microsoft Entra ID Governance

Configure security alerts for Microsoft Entra roles Privileged Identity Management.

Read More

Stale Accounts In A Privileged Role

Sigma rule (View on GitHub)

References

Security alerts for Microsoft Entra roles in PIM - Microsoft Entra ID Governance

Related rules