Detectionhightest

PIM Approvals And Deny Elevation

Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Mark Morowczynski, Yochana HendersonCreated Tue Aug 09039a7469-0296-4450-84c0-f6966b16dc6dcloud

Log Source

Azureauditlogs

ProductAzure← raw: azure

Serviceauditlogs← raw: auditlogs

Detection Logic

detection:
    selection:
        properties.message: Request Approved/Denied
    condition: selection

False Positives

Actual admin using PIM.

References

MITRE ATT&CK

Tactics

Sub-techniques

Rule Metadata

Rule ID

039a7469-0296-4450-84c0-f6966b16dc6d

Status

test

Level

high

Type

Detection

Created

Tue Aug 09

Author

Path

rules/cloud/azure/audit_logs/azure_pim_activation_approve_deny.yml

Raw Tags

attack.persistenceattack.initial-accessattack.defense-evasionattack.privilege-escalationattack.t1078.004