Query Details
HQ 005 Privileged Role Assignment Non PIM
Query
// =========================================================================
// HQ-005: Privileged Role Assignment NOT Logged by PIM
// =========================================================================
// Description : All legitimate role assignments in a PIM-enabled tenant
// should be logged with LoggedByService = "PIM". Direct
// role assignments via the Azure portal, PowerShell, or
// attacker tools (AADInternals, MicroBurst) will appear with
// LoggedByService = "Core Directory". This query surfaces
// those non-PIM assignments.
// MITRE ATT&CK: TA0004 Privilege Escalation
// T1098.003 – Additional Cloud Roles
// Tools : AADInternals, MicroBurst, manual attacker
// Severity : High
// Note : If PIM is not licensed/enabled in your tenant, adjust the
// filter or suppress the LoggedByService condition.
// Data Source : AuditLogs (Azure Active Directory)
// =========================================================================
AuditLogs
| where TimeGenerated > ago(7d)
| where ActivityDisplayName in (
"Add member to role",
"Add eligible member to role",
"Add scoped member to role",
"Add permanent member to role")
| where LoggedByService !in ("PIM", "Privileged Identity Management")
| extend InitiatedByUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatedByApp = tostring(InitiatedBy.app.displayName)
| extend Actor = iff(isnotempty(InitiatedByUPN), InitiatedByUPN, InitiatedByApp)
| extend TargetUser = tostring(TargetResources[0].displayName)
| extend TargetUserUPN = tostring(TargetResources[0].userPrincipalName)
| extend RoleName = tostring(TargetResources[1].displayName)
| where Result == "success"
| project
TimeGenerated,
Actor,
TargetUser,
TargetUserUPN,
RoleName,
ActivityDisplayName,
LoggedByService,
CorrelationId
| order by TimeGenerated desc
Explanation
This query is designed to identify instances where privileged role assignments in an Azure Active Directory environment, which has Privileged Identity Management (PIM) enabled, are not logged by PIM. Instead, these assignments are logged by the "Core Directory" service, which could indicate direct role assignments made through the Azure portal, PowerShell, or potentially malicious tools like AADInternals or MicroBurst.
Here's a simplified breakdown of what the query does:
-
Data Source: It examines the
AuditLogsfrom Azure Active Directory. -
Time Frame: It looks at logs generated in the past 7 days.
-
Activity Filter: It focuses on specific activities related to role assignments, such as adding members to roles.
-
Logging Filter: It filters out entries that were logged by PIM, highlighting those logged by other services.
-
Data Extraction: It extracts and organizes relevant information such as:
- The user or application that initiated the role assignment (
Actor). - The target user who was assigned the role (
TargetUserandTargetUserUPN). - The role that was assigned (
RoleName). - The type of activity performed (
ActivityDisplayName). - The service that logged the activity (
LoggedByService). - A unique identifier for the log entry (
CorrelationId).
- The user or application that initiated the role assignment (
-
Result Filter: It only includes successful role assignment actions.
-
Output: The results are sorted by the time they were generated, in descending order, to show the most recent activities first.
The query helps identify potential security concerns by highlighting role assignments that bypass PIM logging, which could be indicative of unauthorized or suspicious activities.
Details
David Alonso
Released: April 6, 2026
Tables
Keywords
Operators