Roles Assigned Outside PIM

Sep 14, 2023 · attack.t1078 attack.persistence attack.privilege_escalation ·

Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.

Sigma rule (View on GitHub)

 1title: Roles Assigned Outside PIM
 2id: b1bc08d1-8224-4758-a0e6-fbcfc98c73bb
 3status: experimental
 4description: Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.
 5references:
 6    - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management
 7author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
 8date: 2023/09/14
 9tags:
10    - attack.t1078
11    - attack.persistence
12    - attack.privilege_escalation
13logsource:
14    product: azure
15    service: pim
16detection:
17    selection:
18        riskEventType: 'rolesAssignedOutsidePrivilegedIdentityManagementAlertConfiguration'
19    condition: selection
20falsepositives:
21    - Investigate where users are being assigned privileged roles outside of Privileged Identity Management and prohibit future assignments from there.
22level: high

References

Security alerts for Microsoft Entra roles in PIM - Microsoft Entra ID Governance

Configure security alerts for Microsoft Entra roles Privileged Identity Management.

Read More

Roles Assigned Outside PIM

Sigma rule (View on GitHub)

References

Security alerts for Microsoft Entra roles in PIM - Microsoft Entra ID Governance

Related rules