Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Changes to PIM Settings

Back
Id0ed0fe7c-af29-4990-af7f-bb5ccb231198
RulenameChanges to PIM Settings
DescriptionPIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings.

Monitor these changes to ensure they are being made legitimately and don’t confer more privileges than expected or reduce the security of a PIM elevation.

Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts
SeverityHigh
TacticsPrivilegeEscalation
TechniquesT1078.004
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ChangestoPIMSettings.yaml
Version1.0.1
Arm template0ed0fe7c-af29-4990-af7f-bb5ccb231198.json
Deploy To Azure
AuditLogs
  | where Category =~ "RoleManagement"
  | where OperationName =~ "Update role setting in PIM"
  | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
  | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
  | project-reorder TimeGenerated, OperationName, ResultReason, userPrincipalName, ipAddress
metadata:
  author:
    name: Pete Bryan
  support:
    tier: Community
  source:
    kind: Community
  categories:
    domains:
    - Security - Others
    - Identity
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ChangestoPIMSettings.yaml
description: |
  'PIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings.
    Monitor these changes to ensure they are being made legitimately and don't confer more privileges than expected or reduce the security of a PIM elevation.
    Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts'  
tags:
- AADSecOpsGuide
triggerOperator: gt
queryPeriod: 1d
requiredDataConnectors:
- dataTypes:
  - AuditLogs
  connectorId: AzureActiveDirectory
queryFrequency: 1d
triggerThreshold: 0
tactics:
- PrivilegeEscalation
query: |
  AuditLogs
    | where Category =~ "RoleManagement"
    | where OperationName =~ "Update role setting in PIM"
    | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
    | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
    | project-reorder TimeGenerated, OperationName, ResultReason, userPrincipalName, ipAddress  
kind: Scheduled
relevantTechniques:
- T1078.004
version: 1.0.1
id: 0ed0fe7c-af29-4990-af7f-bb5ccb231198
entityMappings:
- fieldMappings:
  - columnName: userPrincipalName
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: ipAddress
    identifier: Address
  entityType: IP
name: Changes to PIM Settings
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0ed0fe7c-af29-4990-af7f-bb5ccb231198')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0ed0fe7c-af29-4990-af7f-bb5ccb231198')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Changes to PIM Settings",
        "description": "'PIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings.\n  Monitor these changes to ensure they are being made legitimately and don't confer more privileges than expected or reduce the security of a PIM elevation.\n  Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts'\n",
        "severity": "High",
        "enabled": true,
        "query": "AuditLogs\n  | where Category =~ \"RoleManagement\"\n  | where OperationName =~ \"Update role setting in PIM\"\n  | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n  | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n  | project-reorder TimeGenerated, OperationName, ResultReason, userPrincipalName, ipAddress\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078.004"
        ],
        "alertRuleTemplateName": "0ed0fe7c-af29-4990-af7f-bb5ccb231198",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "userPrincipalName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "ipAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ChangestoPIMSettings.yaml",
        "tags": [
          "AADSecOpsGuide"
        ],
        "templateVersion": "1.0.1"
      }
    }
  ]
}