LoFP / investigate where users are being assigned privileged roles outside of privileged identity management and prohibit future assignments from there.

Techniques

• t1078

Sample rules

Roles Assigned Outside PIM

• source: sigma
• technicques:
  • t1078

Description

Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.

Detection logic

condition: selection
selection:
  riskEventType: rolesAssignedOutsidePrivilegedIdentityManagementAlertConfiguration