Adversaries may modify PIM role settings to gain or maintain elevated privileges within an organization. SOC teams should proactively hunt for these changes in Azure Sentinel to identify potential privilege escalation attempts and unauthorized access.
KQL Query
AuditLogs
| where Category =~ "RoleManagement"
| where OperationName =~ "Update role setting in PIM"
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
| project-reorder TimeGenerated, OperationName, ResultReason, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, InitiatingAccountName, InitiatingAccountUPNSuffix
id: 0ed0fe7c-af29-4990-af7f-bb5ccb231198
name: Changes to PIM Settings
description: |
'PIM provides a key mechanism for assigning privileges to accounts, this query detects changes to PIM role settings.
Monitor these changes to ensure they are being made legitimately and don't confer more privileges than expected or reduce the security of a PIM elevation.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts'
severity: High
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- PrivilegeEscalation
relevantTechniques:
- T1078.004
tags:
- AADSecOpsGuide
query: |
AuditLogs
| where Category =~ "RoleManagement"
| where OperationName =~ "Update role setting in PIM"
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
| project-reorder TimeGenerated, OperationName, ResultReason, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress, InitiatingAccountName, InitiatingAccountUPNSuffix
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: InitiatingUserPrincipalName
- identifier: Name
columnName: InitiatingAccountName
- identifier: UPNSuffix
columnName: InitiatingAccountUPNSuffix
- entityType: Account
fieldMappings:
- identifier: AadUserId
columnName: InitiatingAadUserId
- entityType: IP
fieldMappings:
- identifier: Address
columnName: InitiatingIPAddress
version: 1.1.1
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Microsoft Security Research
support:
tier: Community
categories:
domains: [ "Security - Others", "Identity" ]| Sentinel Table | Notes |
|---|---|
AuditLogs | Ensure this data connector is enabled |
Scenario: Scheduled Job Updates PIM Role Membership
Description: A scheduled job or automation tool (e.g., AWS CLI, Terraform, or CloudFormation) updates PIM role membership as part of routine infrastructure provisioning.
Filter/Exclusion: Check for source_ip matching known automation IP ranges or include a user_agent filter for tools like aws-cli or terraform.
Scenario: Admin Task to Revoke Access During Audit
Description: An administrator manually revokes access to a user account as part of a compliance or security audit, which triggers the PIM change detection rule.
Filter/Exclusion: Include a user field filter for known admin accounts (e.g., admin_user) or check for event_type indicating a manual admin action.
Scenario: PIM Role Sync with Identity Provider (IdP)
Description: A synchronization job (e.g., AWS SAML or SCIM integration) updates PIM roles based on changes in the identity provider, such as Active Directory or Okta.
Filter/Exclusion: Use source or service fields to identify sync tools (e.g., okta-sync, aws-saml) or filter by change_type indicating sync-related updates.
Scenario: Temporary Role Assignment for Incident Response
Description: During an incident response, a security team temporarily assigns a PIM role to a responder account to access sensitive systems.
Filter/Exclusion: Include a duration or timestamp filter to identify short-lived assignments, or use a user field to flag known incident response accounts.
Scenario: Role-Based Access Control (RBAC) Policy Update
Description: A system administrator updates RBAC policies in a tool like Azure RBAC or AWS IAM, which indirectly affects PIM role settings.