Invalid PIM License

Identifies when an organization doesn't have the proper license for PIM and is out of compliance.

Sigma rule (View on GitHub)

 1title: Invalid PIM License
 2id: 58af08eb-f9e1-43c8-9805-3ad9b0482bd8
 3status: experimental
 4description: Identifies when an organization doesn't have the proper license for PIM and is out of compliance.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#the-organization-doesnt-have-microsoft-entra-premium-p2-or-microsoft-entra-id-governance
 7author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
 8date: 2023/09/14
 9tags:
10    - attack.t1078
11    - attack.persistence
12    - attack.privilege_escalation
13logsource:
14    product: azure
15    service: pim
16detection:
17    selection:
18        riskEventType: 'invalidLicenseAlertIncident'
19    condition: selection
20falsepositives:
21    - Investigate if licenses have expired.
22level: high

References

Related rules

to-top