
Summary
This detection rule identifies instances of Privileged Identity Management (PIM) elevation requests that have been either approved or denied within an Azure environment. The rule primarily monitors audit logs for specific messaging that indicates these events. PIM is crucial for managing and controlling elevated access in Azure Active Directory environments, and any elevation activities that occur outside of normal operational patterns should be investigated for potential security threats. The rule includes provisions for handling false positives, specifically when legitimate administrators utilize PIM functionality, allowing security teams to focus on potentially malicious activities.
Categories
- Cloud
- Azure
- Identity Management
Data Sources
- Cloud Service
- Application Log
Created: 2022-08-09