Detectionhightest

Stale Accounts In A Privileged Role

Identifies when an account hasn't signed in during the past n number of days.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Mark Morowczynski, Gloria LeeCreated Thu Sep 14e402c26a-267a-45bd-9615-bd9ceda6da85cloud

Log Source

Azurepim

ProductAzure← raw: azure

Servicepim← raw: pim

Detection Logic

detection:
    selection:
        riskEventType: 'staleSignInAlertIncident'
    condition: selection

False Positives

Investigate if potential generic account that cannot be removed.

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

e402c26a-267a-45bd-9615-bd9ceda6da85

Status

test

Level

high

Type

Detection

Created

Thu Sep 14

Author

Path

rules/cloud/azure/privileged_identity_management/azure_pim_account_stale.yml

Raw Tags

attack.initial-accessattack.defense-evasionattack.t1078attack.persistenceattack.privilege-escalation