Rules Contributing to Microsoft Entra PIM Setting Changed Alert
The following rules are used to identify suspicious Microsoft Entra PIM setting changed. Any one or more of these will trigger the Microsoft Entra PIM Setting Changed Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
Changes to PIM Settings |
Detects when changes are made to PIM roles More details
Rule IDQuery{'selection': {'properties_message': 'Update role setting in PIM'}, 'condition': 'selection'} Log SourceStellar Cyber Microsoft Entra Events configured. Rule SourceSigmaHQ,db6c06c4-bf3b-421c-aa88-15672b88c743 Author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' Tactics, Techniques, and ProceduresPRIVILEGE_ESCALATION, T1078.004 ReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
PIM Alert Setting Changes to Disabled |
Detects when PIM alerts are set to disabled. More details
Rule IDQuery{'selection': {'properties_message': 'Disable PIM Alert'}, 'condition': 'selection'} Log SourceStellar Cyber Microsoft Entra Events configured. Rule SourceSigmaHQ,aeaef14c-e5bf-4690-a9c8-835caad458bd Author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|