LoFP / as part of legitimate administrative behavior, users may be assigned pim roles. filter as needed

Techniques

• T1098
• T1098.003

Sample rules

Azure AD PIM Role Assigned

• source: splunk
• technicques:
  • T1098
  • T1098.003

Description

The following analytic detects the assignment of an Azure AD Privileged Identity Management (PIM) role. It leverages Azure Active Directory events to identify when a user is added as an eligible member to a PIM role. This activity is significant because PIM roles grant elevated privileges, and their assignment should be closely monitored to prevent unauthorized access. If confirmed malicious, an attacker could exploit this to gain privileged access, potentially leading to unauthorized actions, data breaches, or further compromise of the environment.

Detection logic

`azure_monitor_aad` operationName="Add eligible member to role in PIM completed*" 
| rename properties.* as * 
| stats count min(_time) as firstTime max(_time) as lastTime values(user) as user values(targetResources{}.displayName) as displayName  by result, operationName, initiatedBy.user.displayName 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `azure_ad_pim_role_assigned_filter`