Azure AD Privileged Identity Management member assigned
Set up the azure integration.
Goal
Detect whenever a user assigns an administrative role in Azure Privileged Identity Management (PIM).
Strategy
Monitor Azure Active Directory and generate a signal when a user assigns an administrative role to a PIM member.
The field @usr.id
is the user that actioned the change, and the field @properties.targetResources.userPrincipalName
is the user being assigned the administrative privileges.
Triage and response
- Determine if
{{@usr.id}}
should have assigned the administrative role. - If the API call was not made by the user:
- Rotate user credentials.
- Determine what other API calls were made by the user.
- Begin your organization’s incident response (IR) process and investigate.
- If the API call was made legitimately:
- Determine if
{{@usr.id}}
was authorized to make the change. - Follow Microsoft’s best practices where possible to ensure the user was assigned the correct level of privileges for their function.
Changelog
- 19 December 2023 - Updated group by values to include
@properties.targetResources.userPrincipalName