Sigma rule for: Self Assignment Privileged Group

entra_id_privileged_group_self_assignment.yml

title: PIM-Enabled Group Self-Assignment
id: b3d4e5f6-a7b8-4c9d-8e1f-2c3d4e5f6a7c
status: stable
description: |
    Detects when a user assigns themselves as an active or eligible member or owner of a group 
    via Entra ID Group Management. This identifies potential indirect privilege escalation 
    where a user adds themselves to a group that has been granted privileged administrative roles.
references:
    - learn.microsoft.com
author: Security Operations Center
date: 2025/12/30
logsource:
    category: group_management
    product: azure
    service: entra_id
detection:
    selection_operation:
        OperationName|contains: 'completed'
    filter_activations:
        OperationName|contains: 'PIM activation'
    selection_targets:
        # Ensures both a User (recipient) and the Group (Other) are present in the resources
        TargetResources.type|all:
            - 'User'
            - 'Other'
    filter_self_assignment:
        # Field-to-field comparison: Actor matches the Target
        ActorUserId: '$TargetUserId'
    condition: selection_operation and not filter_activations and selection_targets and filter_self_assignment
fields:
    - TimeGenerated
    - ActorUsername
    - TargetUsername
    - GroupName
    - TargetRoleName # Member vs Owner
    - TargetRoleType # Active vs Eligible
    - SrcIpAddr
    - EventMessage # Justification
    - EventResultDetails # ExpirationTime
falsepositives:
    - Documented emergency/break-glass account usage.
    - Initial tenant configuration by the primary administrator.
level: high
tags:
    - attack.persistence
    - attack.privilege_escalation
    - attack.t1098.003 # Account Manipulation: Role Manipulation