Invalid PIM License
Identifies when an organization doesn't have the proper license for PIM and is out of compliance.
Sigma rule (View on GitHub)
1title: Invalid PIM License
2id: 58af08eb-f9e1-43c8-9805-3ad9b0482bd8
3status: test
4description: Identifies when an organization doesn't have the proper license for PIM and is out of compliance.
5references:
6 - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#the-organization-doesnt-have-microsoft-entra-premium-p2-or-microsoft-entra-id-governance
7author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
8date: 2023-09-14
9tags:
10 - attack.t1078
11 - attack.persistence
12 - attack.privilege-escalation
13logsource:
14 product: azure
15 service: pim
16detection:
17 selection:
18 riskEventType: 'invalidLicenseAlertIncident'
19 condition: selection
20falsepositives:
21 - Investigate if licenses have expired.
22level: high
References
Related rules
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address
- Application Using Device Code Authentication Flow
- Applications That Are Using ROPC Authentication Flow
- Atypical Travel