Changes to PIM Settings
Id | 0ed0fe7c-af29-4990-af7f-bb5ccb231198 |
Rulename | Changes to PIM Settings |
Description | PIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings. Monitor these changes to ensure they are being made legitimately and don’t confer more privileges than expected or reduce the security of a PIM elevation. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts |
Severity | High |
Tactics | PrivilegeEscalation |
Techniques | T1078.004 |
Required data connectors | AzureActiveDirectory |
Kind | Scheduled |
Query frequency | 1d |
Query period | 1d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ChangestoPIMSettings.yaml |
Version | 1.0.1 |
Arm template | 0ed0fe7c-af29-4990-af7f-bb5ccb231198.json |
AuditLogs
| where Category =~ "RoleManagement"
| where OperationName =~ "Update role setting in PIM"
| extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
| project-reorder TimeGenerated, OperationName, ResultReason, userPrincipalName, ipAddress
metadata:
author:
name: Pete Bryan
support:
tier: Community
source:
kind: Community
categories:
domains:
- Security - Others
- Identity
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ChangestoPIMSettings.yaml
description: |
'PIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings.
Monitor these changes to ensure they are being made legitimately and don't confer more privileges than expected or reduce the security of a PIM elevation.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts'
tags:
- AADSecOpsGuide
triggerOperator: gt
queryPeriod: 1d
requiredDataConnectors:
- dataTypes:
- AuditLogs
connectorId: AzureActiveDirectory
queryFrequency: 1d
triggerThreshold: 0
tactics:
- PrivilegeEscalation
query: |
AuditLogs
| where Category =~ "RoleManagement"
| where OperationName =~ "Update role setting in PIM"
| extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
| project-reorder TimeGenerated, OperationName, ResultReason, userPrincipalName, ipAddress
kind: Scheduled
relevantTechniques:
- T1078.004
version: 1.0.1
id: 0ed0fe7c-af29-4990-af7f-bb5ccb231198
entityMappings:
- fieldMappings:
- columnName: userPrincipalName
identifier: FullName
entityType: Account
- fieldMappings:
- columnName: ipAddress
identifier: Address
entityType: IP
name: Changes to PIM Settings
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0ed0fe7c-af29-4990-af7f-bb5ccb231198')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0ed0fe7c-af29-4990-af7f-bb5ccb231198')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "Changes to PIM Settings",
"description": "'PIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings.\n Monitor these changes to ensure they are being made legitimately and don't confer more privileges than expected or reduce the security of a PIM elevation.\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts'\n",
"severity": "High",
"enabled": true,
"query": "AuditLogs\n | where Category =~ \"RoleManagement\"\n | where OperationName =~ \"Update role setting in PIM\"\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n | project-reorder TimeGenerated, OperationName, ResultReason, userPrincipalName, ipAddress\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"PrivilegeEscalation"
],
"techniques": [
"T1078.004"
],
"alertRuleTemplateName": "0ed0fe7c-af29-4990-af7f-bb5ccb231198",
"customDetails": null,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "userPrincipalName",
"identifier": "FullName"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "ipAddress",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ChangestoPIMSettings.yaml",
"tags": [
"AADSecOpsGuide"
],
"templateVersion": "1.0.1"
}
}
]
}