Detectionhightest

Roles Assigned Outside PIM

Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Mark Morowczynski, Gloria LeeCreated Thu Sep 14b1bc08d1-8224-4758-a0e6-fbcfc98c73bbcloud

Log Source

Azurepim

ProductAzure← raw: azure

Servicepim← raw: pim

Detection Logic

detection:
    selection:
        riskEventType: 'rolesAssignedOutsidePrivilegedIdentityManagementAlertConfiguration'
    condition: selection

False Positives

Investigate where users are being assigned privileged roles outside of Privileged Identity Management and prohibit future assignments from there.

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

b1bc08d1-8224-4758-a0e6-fbcfc98c73bb

Status

test

Level

high

Type

Detection

Created

Thu Sep 14

Author

Path

rules/cloud/azure/privileged_identity_management/azure_pim_role_assigned_outside_of_pim.yml

Raw Tags

attack.initial-accessattack.defense-evasionattack.t1078attack.persistenceattack.privilege-escalation