KQL Search

Query Details

HomeAI ToolsDevice Query

PIM Alerts

Query

# PIM Security Alerts

## Query Information

#### Description
Detects Microsoft Entra Privileged Identity Management (PIM) security alerts and assigns severity based on the official Microsoft documentation.

Alert names from documentation:
- Administrators aren't using their privileged roles
- Roles don't require multifactor authentication for activation
- The organization doesn't have Microsoft Entra ID P2 or Microsoft Entra ID Governance
- Potential stale accounts in a privileged role
- Roles are being assigned outside of Privileged Identity Management
- There are too many Global Administrators
- Roles are being activated too frequently

#### Risk
These alerts indicate privilege governance gaps, potential policy violations, or active misuse of privileged access that can increase the likelihood and impact of identity compromise.

#### References
- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities
- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts

## Sentinel
```KQL
AuditLogs
| where OperationName =~ "Triggered PIM alert"
| where Category =~ "RoleManagement"
| extend AlertDescription = TargetResources[0].displayName
| extend Severity = case(
	AlertDescription =~ "Roles are being assigned outside of Privileged Identity Management" or AlertDescription =~ "Role assigned outside of PIM", "High",
	AlertDescription =~ "Potential stale accounts in a privileged role", "Medium",
	AlertDescription =~ "Administrators aren't using their privileged roles", "Low",
	AlertDescription =~ "Roles don't require multifactor authentication for activation", "Low",
	AlertDescription =~ "The organization doesn't have Microsoft Entra ID P2 or Microsoft Entra ID Governance", "Low",
	AlertDescription =~ "There are too many Global Administrators", "Low",
	AlertDescription =~ "Roles are being activated too frequently", "Low",
	"Unknown"
)
| project-reorder TimeGenerated, OperationName, Category, AlertDescription, Severity
```

Explanation

This query is designed to identify and categorize security alerts related to Microsoft Entra Privileged Identity Management (PIM). Here's a simple breakdown:

  1. Data Source: The query looks at logs from the AuditLogs table.

  2. Filter Criteria: It specifically searches for logs where the operation name is "Triggered PIM alert" and the category is "RoleManagement". This means it's focusing on alerts related to role management within PIM.

  3. Alert Description: For each alert, it extracts the description from the TargetResources field.

  4. Severity Assignment: The query assigns a severity level to each alert based on its description:

    • High Severity: Alerts about roles being assigned outside of PIM.
    • Medium Severity: Alerts about potential stale accounts in privileged roles.
    • Low Severity: Alerts about administrators not using their roles, roles not requiring multifactor authentication, lack of certain Microsoft Entra ID features, too many Global Administrators, and roles being activated too frequently.
    • Unknown Severity: If an alert doesn't match any of the predefined descriptions.

  5. Output: The results are organized to show the time the alert was generated, the operation name, category, alert description, and its assigned severity.

In summary, this query helps identify potential security issues related to privileged role management and categorizes them by severity to prioritize response efforts.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: May 22, 2026

Tables

AuditLogs

Keywords

AuditLogsRoleManagementPrivilegedIdentityManagementMicrosoftEntraPrivilegedIdentityManagementPrivilegedAccessIdentityCompromiseGlobalAdministratorsMicrosoftEntraIDGovernance

Operators

|=~extendcaseproject-reorder

Actions