Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Changes to PIM Settings

Back
Id0ed0fe7c-af29-4990-af7f-bb5ccb231198
RulenameChanges to PIM Settings
DescriptionPIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings.

Monitor these changes to ensure they are being made legitimately and don’t confer more privileges than expected or reduce the security of a PIM elevation.

Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts
SeverityHigh
TacticsPrivilegeEscalation
TechniquesT1078.004
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ChangestoPIMSettings.yaml
Version1.0.1
Arm template0ed0fe7c-af29-4990-af7f-bb5ccb231198.json
Deploy To Azure
AuditLogs
  | where Category =~ "RoleManagement"
  | where OperationName =~ "Update role setting in PIM"
  | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
  | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
  | project-reorder TimeGenerated, OperationName, ResultReason, userPrincipalName, ipAddress
queryFrequency: 1d
metadata:
  author:
    name: Pete Bryan
  source:
    kind: Community
  categories:
    domains:
    - Security - Others
    - Identity
  support:
    tier: Community
triggerOperator: gt
tactics:
- PrivilegeEscalation
description: |
  'PIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings.
    Monitor these changes to ensure they are being made legitimately and don't confer more privileges than expected or reduce the security of a PIM elevation.
    Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts'  
relevantTechniques:
- T1078.004
name: Changes to PIM Settings
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ChangestoPIMSettings.yaml
severity: High
triggerThreshold: 0
version: 1.0.1
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: userPrincipalName
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: ipAddress
tags:
- AADSecOpsGuide
id: 0ed0fe7c-af29-4990-af7f-bb5ccb231198
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - AuditLogs
kind: Scheduled
query: |
  AuditLogs
    | where Category =~ "RoleManagement"
    | where OperationName =~ "Update role setting in PIM"
    | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
    | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
    | project-reorder TimeGenerated, OperationName, ResultReason, userPrincipalName, ipAddress  
queryPeriod: 1d
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0ed0fe7c-af29-4990-af7f-bb5ccb231198')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0ed0fe7c-af29-4990-af7f-bb5ccb231198')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Changes to PIM Settings",
        "description": "'PIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings.\n  Monitor these changes to ensure they are being made legitimately and don't confer more privileges than expected or reduce the security of a PIM elevation.\n  Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts'\n",
        "severity": "High",
        "enabled": true,
        "query": "AuditLogs\n  | where Category =~ \"RoleManagement\"\n  | where OperationName =~ \"Update role setting in PIM\"\n  | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n  | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n  | project-reorder TimeGenerated, OperationName, ResultReason, userPrincipalName, ipAddress\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078.004"
        ],
        "alertRuleTemplateName": "0ed0fe7c-af29-4990-af7f-bb5ccb231198",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "userPrincipalName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "ipAddress"
              }
            ]
          }
        ],
        "templateVersion": "1.0.1",
        "tags": [
          "AADSecOpsGuide"
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ChangestoPIMSettings.yaml"
      }
    }
  ]
}