
Summary
The Azure Role Changed PIM detection rule monitors changes to a member's Privileged Identity Management (PIM) roles within Azure Active Directory (Entra ID). The rule primarily looks for events logged in Azure Audit logs that indicate either the successful addition of a role to a user or requests for role changes. It can flag unauthorized changes by comparing logged activity against expected behaviors. If a role change is detected as unauthorized, it triggers a verification process to assess whether the modification was appropriate, leading to potential role reversion and notification of relevant security teams. The rule's severity is categorized as medium, signaling a balanced approach to monitoring, where role alterations may pose risks but require context to determine true threat levels.
Categories
- Identity Management
- Cloud
- Azure
Data Sources
- User Account
- Application Log
- Logon Session
- Cloud Service
ATT&CK Techniques
- T1586
Created: 2025-02-10