Detectionhightest

Roles Activated Too Frequently

Identifies when the same privilege role has multiple activations by the same user.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Mark Morowczynski, Gloria LeeCreated Thu Sep 14645fd80d-6c07-435b-9e06-7bc1b5656cbacloud

Log Source

Azurepim

ProductAzure← raw: azure

Servicepim← raw: pim

Detection Logic

detection:
    selection:
        riskEventType: 'sequentialActivationRenewalsAlertIncident'
    condition: selection

False Positives

Investigate where if active time period for a role is set too short.

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

645fd80d-6c07-435b-9e06-7bc1b5656cba

Status

test

Level

high

Type

Detection

Created

Thu Sep 14

Author

Path

rules/cloud/azure/privileged_identity_management/azure_pim_role_frequent_activation.yml

Raw Tags

attack.initial-accessattack.defense-evasionattack.t1078attack.persistenceattack.privilege-escalation