KQL Search

Query Details

12 PIM Abuse Non Interactive Admin Action

Query

id: f7a3b5c6-d1e2-4f8a-9b0c-1d2e3f4a5b6c
name: PIM Role Activation Followed by Non-Interactive Token Use
version: 1.0.0
kind: Scheduled
description: |
  Detects when a user activates a privileged role through Privileged Identity Management (PIM)
  and then immediately uses a non-interactive token from that elevated session within 30 minutes.
  This pattern may indicate an attacker abusing PIM to temporarily elevate privileges, then
  using a silent token to perform admin operations without triggering interactive MFA prompts.
  MITRE ATT&CK: T1078 (Valid Accounts), T1098 (Account Manipulation), T1134 (Access Token Manipulation)
severity: High
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AADNonInteractiveUserSignInLogs
      - AuditLogs
queryFrequency: 1h
queryPeriod: 2h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - PrivilegeEscalation
  - Persistence
  - DefenseEvasion
relevantTechniques:
  - T1078
  - T1098
  - T1134
query: |
  let PIMActivations =
      AuditLogs
      | where TimeGenerated > ago(2h)
      | where OperationName has "Add member to role completed (PIM activation)"
      | extend UPN = tostring(InitiatedBy.user.userPrincipalName)
      | where isnotempty(UPN)
      | project
          ActivationTime = TimeGenerated,
          UPN,
          RoleName       = tostring(TargetResources[0].displayName);
  AADNonInteractiveUserSignInLogs
  | where TimeGenerated > ago(2h)
  | where ResultType == 0
  | join kind=inner PIMActivations on $left.UserPrincipalName == $right.UPN
  | where TimeGenerated > ActivationTime
     and  (TimeGenerated - ActivationTime) < 30m
  | project
      NISignInTime       = TimeGenerated,
      ActivationTime,
      UserPrincipalName,
      RoleName,
      AppDisplayName,
      IPAddress,
      Location,
      TimeSincePIMActivation = (TimeGenerated - ActivationTime)
  | order by NISignInTime desc
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: UserPrincipalName
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPAddress
customDetails:
  RoleName: RoleName
  AppDisplayName: AppDisplayName
  MinutesSincePIMActivation: TimeSincePIMActivation
alertDetailsOverride:
  alertDisplayNameFormat: "PIM Abuse - {{UserPrincipalName}} activated {{RoleName}} then used silent token"
  alertDescriptionFormat: "User {{UserPrincipalName}} activated PIM role '{{RoleName}}' then immediately used a non-interactive token from {{IPAddress}}. Verify this is authorized administrative activity."
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: AnyAlert
    groupByEntities:
      - Account
    groupByAlertDetails: []
    groupByCustomDetails: []

Explanation

This query is designed to detect potentially suspicious activity involving the use of Privileged Identity Management (PIM) in Azure Active Directory. Here's a simple breakdown of what it does:

  1. Purpose: It looks for instances where a user activates a privileged role using PIM and then quickly uses a non-interactive token from that elevated session within 30 minutes. This behavior might suggest that someone is trying to temporarily elevate their privileges and perform administrative tasks without being noticed.

  2. Data Sources: The query uses data from Azure Active Directory, specifically:

    • Audit logs to track PIM role activations.
    • Non-interactive user sign-in logs to find token usage.

  3. Detection Logic:

    • It first identifies PIM role activations within the last two hours.
    • Then, it checks for non-interactive sign-ins by the same user within 30 minutes after the role activation.
    • If such activity is found, it suggests a potential misuse of PIM.

  4. Severity and Alerts: The query is set to a high severity level, indicating the importance of the detected activity. If the query finds any matches, it triggers an alert with details about the user, role, application, and IP address involved.

  5. MITRE ATT&CK Techniques: The query is associated with techniques like Valid Accounts (T1078), Account Manipulation (T1098), and Access Token Manipulation (T1134), which are common tactics used by attackers.

  6. Incident Management: If an alert is generated, it can create an incident in the monitoring system, allowing security teams to investigate further.

In summary, this query helps identify potential abuse of privileged roles in Azure by detecting quick, non-interactive token usage after a PIM role activation, which could indicate unauthorized administrative actions.

Details

David Alonso profile picture

David Alonso

Released: May 29, 2026

Tables

AuditLogsAADNonInteractiveUserSignInLogs

Keywords

PrivilegedIdentityManagementUserTokenRoleAccountIPLocationApp

Operators

letwhereagohasextendtostringisnotemptyprojectjoinkindon==>and<order bydesc

Actions