Changes to PIM Settings
| Id | 0ed0fe7c-af29-4990-af7f-bb5ccb231198 |
| Rulename | Changes to PIM Settings |
| Description | PIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings. Monitor these changes to ensure they are being made legitimately and don’t confer more privileges than expected or reduce the security of a PIM elevation. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts |
| Severity | High |
| Tactics | PrivilegeEscalation |
| Techniques | T1078.004 |
| Required data connectors | AzureActiveDirectory |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ChangestoPIMSettings.yaml |
| Version | 1.1.1 |
| Arm template | 0ed0fe7c-af29-4990-af7f-bb5ccb231198.json |
AuditLogs
| where Category =~ "RoleManagement"
| where OperationName =~ "Update role setting in PIM"
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
| project-reorder TimeGenerated, OperationName, ResultReason, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, InitiatingAccountName, InitiatingAccountUPNSuffix
version: 1.1.1
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ChangestoPIMSettings.yaml
description: |
'PIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings.
Monitor these changes to ensure they are being made legitimately and don't confer more privileges than expected or reduce the security of a PIM elevation.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts'
queryFrequency: 1d
name: Changes to PIM Settings
tactics:
- PrivilegeEscalation
triggerThreshold: 0
id: 0ed0fe7c-af29-4990-af7f-bb5ccb231198
query: |
AuditLogs
| where Category =~ "RoleManagement"
| where OperationName =~ "Update role setting in PIM"
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
| project-reorder TimeGenerated, OperationName, ResultReason, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, InitiatingAccountName, InitiatingAccountUPNSuffix
severity: High
metadata:
categories:
domains:
- Security - Others
- Identity
source:
kind: Community
support:
tier: Community
author:
name: Microsoft Security Research
tags:
- AADSecOpsGuide
queryPeriod: 1d
entityMappings:
- fieldMappings:
- columnName: InitiatingUserPrincipalName
identifier: FullName
- columnName: InitiatingAccountName
identifier: Name
- columnName: InitiatingAccountUPNSuffix
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: InitiatingAadUserId
identifier: AadUserId
entityType: Account
- fieldMappings:
- columnName: InitiatingIPAddress
identifier: Address
entityType: IP
relevantTechniques:
- T1078.004
kind: Scheduled
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs