Roles Activated Too Frequently

Aug 12, 2024 · attack.t1078 attack.persistence attack.privilege-escalation ·

Identifies when the same privilege role has multiple activations by the same user.

Sigma rule (View on GitHub)

 1title: Roles Activated Too Frequently
 2id: 645fd80d-6c07-435b-9e06-7bc1b5656cba
 3status: test
 4description: Identifies when the same privilege role has multiple activations by the same user.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently
 7author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
 8date: 2023-09-14
 9tags:
10    - attack.t1078
11    - attack.persistence
12    - attack.privilege-escalation
13logsource:
14    product: azure
15    service: pim
16detection:
17    selection:
18        riskEventType: 'sequentialActivationRenewalsAlertIncident'
19    condition: selection
20falsepositives:
21    - Investigate where if active time period for a role is set too short.
22level: high

References

Security alerts for Microsoft Entra roles in PIM - Microsoft Entra ID Governance

Configure security alerts for Microsoft Entra roles Privileged Identity Management.

Read More

Roles Activated Too Frequently

Sigma rule (View on GitHub)

References

Security alerts for Microsoft Entra roles in PIM - Microsoft Entra ID Governance

Related rules