Detectionhightest

Changes To PIM Settings

Detects when changes are made to PIM roles

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Mark Morowczynski, Yochana HendersonCreated Tue Aug 09db6c06c4-bf3b-421c-aa88-15672b88c743cloud

Log Source

Azureauditlogs

ProductAzure← raw: azure

Serviceauditlogs← raw: auditlogs

Detection Logic

detection:
    selection:
        properties.message: Update role setting in PIM
    condition: selection

False Positives

Legit administrative PIM setting configuration changes

References

MITRE ATT&CK

Tactics

Sub-techniques

Rule Metadata

Rule ID

db6c06c4-bf3b-421c-aa88-15672b88c743

Status

test

Level

high

Type

Detection

Created

Tue Aug 09

Author

Path

rules/cloud/azure/audit_logs/azure_pim_change_settings.yml

Raw Tags

attack.initial-accessattack.defense-evasionattack.privilege-escalationattack.persistenceattack.t1078.004