heroui logo

Azure Role Changed PIM

Panther Rules

View Source
Summary
The Azure Role Changed PIM detection rule monitors changes to a member's Privileged Identity Management (PIM) roles within Azure Active Directory (Entra ID). The rule primarily looks for events logged in Azure Audit logs that indicate either the successful addition of a role to a user or requests for role changes. It can flag unauthorized changes by comparing logged activity against expected behaviors. If a role change is detected as unauthorized, it triggers a verification process to assess whether the modification was appropriate, leading to potential role reversion and notification of relevant security teams. The rule's severity is categorized as medium, signaling a balanced approach to monitoring, where role alterations may pose risks but require context to determine true threat levels.
Categories
  • Identity Management
  • Cloud
  • Azure
Data Sources
  • User Account
  • Application Log
  • Logon Session
  • Cloud Service
ATT&CK Techniques
  • T1586
Created: 2025-02-10