Roles Assigned Outside PIM

Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.

Sigma rule (View on GitHub)

 1title: Roles Assigned Outside PIM
 2id: b1bc08d1-8224-4758-a0e6-fbcfc98c73bb
 3status: test
 4description: Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management
 7author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
 8date: 2023-09-14
 9tags:
10    - attack.t1078
11    - attack.persistence
12    - attack.privilege-escalation
13logsource:
14    product: azure
15    service: pim
16detection:
17    selection:
18        riskEventType: 'rolesAssignedOutsidePrivilegedIdentityManagementAlertConfiguration'
19    condition: selection
20falsepositives:
21    - Investigate where users are being assigned privileged roles outside of Privileged Identity Management and prohibit future assignments from there.
22level: high

References

Related rules

to-top