Azure AD Privileged Identity Management member assigned

azure

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

Set up the azure integration.

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect whenever a user assigns an administrative role in Azure Privileged Identity Management (PIM).

Strategy

Monitor Azure Active Directory and generate a signal when a user assigns an administrative role to a PIM member.

The field @usr.id is the user that actioned the change, and the field @properties.targetResources.userPrincipalName is the user being assigned the administrative privileges.

Triage and response

  1. Determine if {{@usr.id}} should have assigned the administrative role.
  2. If the API call was not made by the user:
  • Rotate user credentials.
  • Determine what other API calls were made by the user.
  • Begin your organization’s incident response (IR) process and investigate.
  1. If the API call was made legitimately:
  • Determine if {{@usr.id}} was authorized to make the change.
  • Follow Microsoft’s best practices where possible to ensure the user was assigned the correct level of privileges for their function.

Changelog

  • 19 December 2023 - Updated group by values to include @properties.targetResources.userPrincipalName
PREVIEWING: brett.blue/embedded-collector-release