Detectionhightest

Roles Are Not Being Used

Identifies when a user has been assigned a privilege role and are not using that role.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Mark Morowczynski, Gloria LeeCreated Thu Sep 148c6ec464-4ae4-43ac-936a-291da66ed13dcloud

Log Source

Azurepim

ProductAzure← raw: azure

Servicepim← raw: pim

Detection Logic

detection:
    selection:
        riskEventType: 'redundantAssignmentAlertIncident'
    condition: selection

False Positives

Investigate if potential generic account that cannot be removed.

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

8c6ec464-4ae4-43ac-936a-291da66ed13d

Status

test

Level

high

Type

Detection

Created

Thu Sep 14

Author

Path

rules/cloud/azure/privileged_identity_management/azure_pim_role_not_used.yml

Raw Tags

attack.initial-accessattack.defense-evasionattack.t1078attack.persistenceattack.privilege-escalation