Roles Assigned Outside PIM
Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.
Sigma rule (View on GitHub)
1title: Roles Assigned Outside PIM
2id: b1bc08d1-8224-4758-a0e6-fbcfc98c73bb
3status: experimental
4description: Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.
5references:
6 - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management
7author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
8date: 2023/09/14
9tags:
10 - attack.t1078
11 - attack.persistence
12 - attack.privilege_escalation
13logsource:
14 product: azure
15 service: pim
16detection:
17 selection:
18 riskEventType: 'rolesAssignedOutsidePrivilegedIdentityManagementAlertConfiguration'
19 condition: selection
20falsepositives:
21 - Investigate where users are being assigned privileged roles outside of Privileged Identity Management and prohibit future assignments from there.
22level: high
References
Related rules
- Invalid PIM License
- Roles Activated Too Frequently
- Roles Activation Doesn't Require MFA
- Roles Are Not Being Used
- Stale Accounts In A Privileged Role