azurekid · December 30, 2025 13:46
diff --git a/entra_id_privileged_role_self_assignment.yml b/entra_id_privileged_role_self_assignment.yml
 title: PIM Privileged Role Self-Assignment
 id: a8d1c6e4-4f2b-4d9a-9e1b-2c3d4e5f6a7b
 status: stable
 description: |
    Detects when a user assigns a privileged role to their own account through PIM. 
    By assigning themselves as an active or eligible member, an administrator can 
    bypass the "four-eyes" principle and escalate their own privileges.
 references:
    - learn.microsoft.com
 author: Security Operations Center
 date: 2025/12/30
 logsource:
    category: role_management
    product: azure
    service: entra_id
 detection:
    selection_operation:
        # Matches the 'Add member' and 'Add eligible member' operations
        OperationName|contains:
            - 'Add eligible member to role in PIM completed'
            - 'Add member to role in PIM completed'
    filter_activations:
        # Explicitly exclude standard JIT activations to focus on policy changes
        OperationName|contains: 'PIM activation'
    selection_target_type:
        # Ensures the target of the operation is a User object
        TargetResources.type: 'User'
    filter_self_assignment:
        # Field-to-field comparison: The Actor ID matches the Recipient ID
        ActorUserId: '$TargetUserId'
    condition: selection_operation and not filter_activations and selection_target_type and filter_self_assignment
 fields:
    - TimeGenerated
    - ActorUsername
    - TargetUsername
    - GroupName # Maps to Role Name (e.g., Global Administrator)
    - TargetRoleType # Eligible vs Active
    - SrcIpAddr # Extracted from AdditionalDetails (ipaddr)
    - EventMessage # Justification
    - EventResultDetails # ExpirationTime
 falsepositives:
    - Authorized break-glass/emergency account operations (must be audited).
    - Initial tenant setup where only one Global Admin exists.
 level: critical
 tags:
    - attack.persistence
    - attack.privilege_escalation
    - attack.t1098.003 # Account Manipulation: Role Manipulation
	title: PIM Privileged Role Self-Assignment
	id: a8d1c6e4-4f2b-4d9a-9e1b-2c3d4e5f6a7b
	status: stable
	description: \|
	Detects when a user assigns a privileged role to their own account through PIM.
	By assigning themselves as an active or eligible member, an administrator can
	bypass the "four-eyes" principle and escalate their own privileges.
	references:
	- learn.microsoft.com
	author: Security Operations Center
	date: 2025/12/30
	logsource:
	category: role_management
	product: azure
	service: entra_id
	detection:
	selection_operation:
	# Matches the 'Add member' and 'Add eligible member' operations
	OperationName\|contains:
	- 'Add eligible member to role in PIM completed'
	- 'Add member to role in PIM completed'
	filter_activations:
	# Explicitly exclude standard JIT activations to focus on policy changes
	OperationName\|contains: 'PIM activation'
	selection_target_type:
	# Ensures the target of the operation is a User object
	TargetResources.type: 'User'
	filter_self_assignment:
	# Field-to-field comparison: The Actor ID matches the Recipient ID
	ActorUserId: '$TargetUserId'
	condition: selection_operation and not filter_activations and selection_target_type and filter_self_assignment
	fields:
	- TimeGenerated
	- ActorUsername
	- TargetUsername
	- GroupName # Maps to Role Name (e.g., Global Administrator)
	- TargetRoleType # Eligible vs Active
	- SrcIpAddr # Extracted from AdditionalDetails (ipaddr)
	- EventMessage # Justification
	- EventResultDetails # ExpirationTime
	falsepositives:
	- Authorized break-glass/emergency account operations (must be audited).
	- Initial tenant setup where only one Global Admin exists.
	level: critical
	tags:
	- attack.persistence
	- attack.privilege_escalation
	- attack.t1098.003 # Account Manipulation: Role Manipulation
No results found