Query Details

Detect PIM Elevation With User Risk

Query

AuditLogs
| where TimeGenerated > ago(1h)
| where OperationName contains "PIM activation" and OperationName contains "completed"
| extend UserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| join kind=inner (AADUserRiskEvents | where TimeGenerated > ago(1d)) on UserPrincipalName

About this query

Detect PIM elevation with user risk

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1548Abuse Elevation Control Mechanismhttps://attack.mitre.org/techniques/T1548/

Description

When an account with eligible roles in Entra ID is compromised, the attacker will probably escalate their privileges via Microsoft PIM. With this rule you can detect when a risky user is elevating their privileges with PIM.

Risk

Detect a compromised account with eligible roles.

Author <Optional>

References

Microsoft Sentinel

Defender XDR

CloudAppEvents
| where TimeGenerated > ago(1h)
| where ActionType == "Add member to role."
| extend UserPrincipalName = tostring(RawEventData.ObjectId)
| join kind=inner (AADUserRiskEvents | where TimeGenerated > ago(1d)) on UserPrincipalName

Explanation

This query is designed to detect potentially compromised user accounts that are elevating their privileges using Microsoft Privileged Identity Management (PIM). Here's a simple breakdown of what each part of the query does:

  1. Data Source: The query is run on two different data sources: AuditLogs for Microsoft Sentinel and CloudAppEvents for Defender XDR.

  2. Time Frame: It looks at events that occurred in the last hour (TimeGenerated > ago(1h)) for privilege elevation activities and in the last day (TimeGenerated > ago(1d)) for user risk events.

  3. Privilege Elevation Detection:

    • In Microsoft Sentinel, it checks for operations where PIM activation was completed.
    • In Defender XDR, it looks for actions where a member was added to a role.
  4. User Risk Detection: It joins the results with AADUserRiskEvents to find users who have been flagged as risky within the last day.

  5. Output: The query identifies users who have both elevated their privileges and have been marked as risky, indicating a potential security threat.

Overall, this query helps security teams identify and respond to potential security incidents where a risky user account is being used to gain higher access privileges, which could indicate an account compromise.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: January 12, 2026

Tables

AuditLogsAADUserRiskEventsCloudAppEvents

Keywords

AuditLogsCloudAppEventsAADUserRiskEventsUserPrincipalNameOperationNameTimeGeneratedActionTypeRawEventData

Operators

AuditLogswhereTimeGeneratedagocontainsextendtostringjoinkindinnerAADUserRiskEventsCloudAppEventsActionType==RawEventData.ObjectId

MITRE Techniques

Actions

GitHub