External User Added to Admin Role Outside PIM [RULE-1161]
This rule detects when an external user (guest user) is added to a role with high administrative privileges, outside of Privileged Identity Management (PIM). This alert triggers specifically when your organization uses PIM, but someone assigns the admin role without going through the PIM process.
Rationale
Privileged Identity Management (PIM) is a security control mechanism that helps organizations manage, monitor, and audit administrative privileges. When PIM is deployed, the expectation is that all administrative privileges are granted through PIM - with approval processes, temporary assignments, and additional monitoring. Granting administrative privileges outside of PIM undermines these controls.
This detection is especially critical because it combines two red flags: (1) administrative privileges outside the PIM process, and (2) assignment to an external account. This pattern is strongly indicative of malicious behavior or at least a serious deviation from security policy that requires immediate attention.
Fix
A fix will be offered to remove the administrative privileges from the external user, after you have validated that this is malicious behavior or does not comply with policy. For further investigation you can contact us, Attic can support via our IR service.