Invalid PIM License

Sep 14, 2023 · attack.t1078 attack.persistence attack.privilege_escalation ·

Identifies when an organization doesn't have the proper license for PIM and is out of compliance.

Sigma rule (View on GitHub)

 1title: Invalid PIM License
 2id: 58af08eb-f9e1-43c8-9805-3ad9b0482bd8
 3status: experimental
 4description: Identifies when an organization doesn't have the proper license for PIM and is out of compliance.
 5references:
 6    - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#the-organization-doesnt-have-microsoft-entra-premium-p2-or-microsoft-entra-id-governance
 7author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
 8date: 2023/09/14
 9tags:
10    - attack.t1078
11    - attack.persistence
12    - attack.privilege_escalation
13logsource:
14    product: azure
15    service: pim
16detection:
17    selection:
18        riskEventType: 'invalidLicenseAlertIncident'
19    condition: selection
20falsepositives:
21    - Investigate if licenses have expired.
22level: high

References

Security alerts for Microsoft Entra roles in PIM - Microsoft Entra ID Governance

Configure security alerts for Microsoft Entra roles Privileged Identity Management.

Read More

Invalid PIM License

Sigma rule (View on GitHub)

References

Security alerts for Microsoft Entra roles in PIM - Microsoft Entra ID Governance

Related rules