Roles Activated Too Frequently

Oct 23, 2025 · attack.initial-access attack.defense-evasion attack.t1078 attack.persistence attack.privilege-escalation ·

Share on:

Identifies when the same privilege role has multiple activations by the same user.

Sigma rule (View on GitHub)

 1title: Roles Activated Too Frequently
 2id: 645fd80d-6c07-435b-9e06-7bc1b5656cba
 3status: test
 4description: Identifies when the same privilege role has multiple activations by the same user.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently
 7author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
 8date: 2023-09-14
 9tags:
10    - attack.initial-access
11    - attack.defense-evasion
12    - attack.t1078
13    - attack.persistence
14    - attack.privilege-escalation
15logsource:
16    product: azure
17    service: pim
18detection:
19    selection:
20        riskEventType: 'sequentialActivationRenewalsAlertIncident'
21    condition: selection
22falsepositives:
23    - Investigate where if active time period for a role is set too short.
24level: high

References

Security alerts for Microsoft Entra roles in PIM - Microsoft Entra ID Governance

Configure security alerts for Microsoft Entra roles Privileged Identity Management.

Read More

Roles Activated Too Frequently

Sigma rule (View on GitHub)

References

Security alerts for Microsoft Entra roles in PIM - Microsoft Entra ID Governance

Related rules