Techniques
Sample rules
Roles Activated Too Frequently
- source: sigma
- technicques:
- t1078
Description
Identifies when the same privilege role has multiple activations by the same user.
Detection logic
condition: selection
selection:
riskEventType: sequentialActivationRenewalsAlertIncident