KQL Search

Query Details

HomeAI ToolsDevice Query

Detect PIM Elevation With User Risk

Query

# *Detect PIM elevation with user risk*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1548 | Abuse Elevation Control Mechanism | https://attack.mitre.org/techniques/T1548/ |

#### Description
When an account with eligible roles in Entra ID is compromised, the attacker will probably escalate their privileges via Microsoft PIM. With this rule you can detect when a risky user is elevating their privileges with PIM.

#### Risk
Detect a compromised account with eligible roles. 

#### Author <Optional>
- **Name:** Robbe Van den Daele
- **Github:** https://github.com/RobbeVandenDaele
- **Twitter:** https://x.com/RobbeVdDaele
- **LinkedIn:** https://www.linkedin.com/in/robbe-van-den-daele-677986190/
- **Website:** https://hybridbrothers.com/

#### References
- https://hybridbrothers.com/

## Microsoft Sentinel
```KQL
AuditLogs
| where TimeGenerated > ago(1h)
| where OperationName contains "PIM activation" and OperationName contains "completed"
| extend UserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| join kind=inner (AADUserRiskEvents | where TimeGenerated > ago(1d)) on UserPrincipalName
```

## Defender XDR
```KQL
CloudAppEvents
| where TimeGenerated > ago(1h)
| where ActionType == "Add member to role."
| extend UserPrincipalName = tostring(RawEventData.ObjectId)
| join kind=inner (AADUserRiskEvents | where TimeGenerated > ago(1d)) on UserPrincipalName
```

Explanation

This query is designed to detect potentially compromised user accounts that are elevating their privileges using Microsoft Privileged Identity Management (PIM). Here's a simple breakdown of what each part of the query does:

  1. Data Source: The query is run on two different data sources: AuditLogs for Microsoft Sentinel and CloudAppEvents for Defender XDR.

  2. Time Frame: It looks at events that occurred in the last hour (TimeGenerated > ago(1h)) for privilege elevation activities and in the last day (TimeGenerated > ago(1d)) for user risk events.

  3. Privilege Elevation Detection:

    • In Microsoft Sentinel, it checks for operations where PIM activation was completed.
    • In Defender XDR, it looks for actions where a member was added to a role.

  4. User Risk Detection: It joins the results with AADUserRiskEvents to find users who have been flagged as risky within the last day.

  5. Output: The query identifies users who have both elevated their privileges and have been marked as risky, indicating a potential security threat.

Overall, this query helps security teams identify and respond to potential security incidents where a risky user account is being used to gain higher access privileges, which could indicate an account compromise.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: January 12, 2026

Tables

AuditLogsAADUserRiskEventsCloudAppEvents

Keywords

AuditLogsCloudAppEventsAADUserRiskEventsUserPrincipalNameOperationNameTimeGeneratedActionTypeRawEventData

Operators

AuditLogswhereTimeGeneratedagocontainsextendtostringjoinkindinnerAADUserRiskEventsCloudAppEventsActionType==RawEventData.ObjectId

Actions