Roles Activation Doesn't Require MFA
Identifies when a privilege role can be activated without performing mfa.
Sigma rule (View on GitHub)
1title: Roles Activation Doesn't Require MFA
2id: 94a66f46-5b64-46ce-80b2-75dcbe627cc0
3status: experimental
4description: Identifies when a privilege role can be activated without performing mfa.
5references:
6 - https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation
7author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
8date: 2023/09/14
9tags:
10 - attack.t1078
11 - attack.persistence
12 - attack.privilege_escalation
13logsource:
14 product: azure
15 service: pim
16detection:
17 selection:
18 riskEventType: 'noMfaOnRoleActivationAlertIncident'
19 condition: selection
20falsepositives:
21 - Investigate if user is performing MFA at sign-in.
22level: high
References
Related rules
- Invalid PIM License
- Roles Activated Too Frequently
- Roles Are Not Being Used
- Roles Assigned Outside PIM
- Stale Accounts In A Privileged Role