LoFP / as part of legitimate administrative behavior, users may activate pim roles. filter as needed

Techniques

• T1098
• T1098.003

Sample rules

Azure AD PIM Role Assignment Activated

• source: splunk
• technicques:
  • T1098
  • T1098.003

Description

The following analytic detects the activation of an Azure AD Privileged Identity Management (PIM) role. It leverages Azure Active Directory events to identify when a user activates a PIM role assignment, indicated by the “Add member to role completed (PIM activation)” operation. Monitoring this activity is crucial as PIM roles grant elevated privileges, and unauthorized activation could indicate an adversary attempting to gain privileged access. If confirmed malicious, this could lead to unauthorized administrative actions, data breaches, or further compromise of the Azure environment.

Detection logic

`azure_monitor_aad` operationName="Add member to role completed (PIM activation)" 
| rename properties.* as * 
| rename initiatedBy.user.userPrincipalName as initiatedBy 
| stats count min(_time) as firstTime max(_time) as lastTime values(user) as user values(targetResources{}.displayName) as displayName by initiatedBy, result, operationName 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `azure_ad_pim_role_assignment_activated_filter`