Detect PIM Alert Disabling activity

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

---

Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Microsoft Entra ID (Azure AD) organization. This query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access

Attribute	Value
Type	Analytic Rule
Solution	Standalone Content
ID	1f3b4dfd-21ff-4ed3-8e27-afc219e05c50
Severity	Medium
Kind	Scheduled
Tactics	Persistence, PrivilegeEscalation
Techniques	T1098, T1078
Required Connectors	AzureActiveDirectory
Source	View on GitHub

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Analytic Rules