Forum Discussion
Solved
RE: In KQL, IF a new role is added by user through AD PIM, how do you extract their details...
Hello, I posted previously, a similar query about HOW do you extract details about the user who initiated the action to ADD a new privileged role to ANOTHER user? I have simplified my BASE qu...
- Hi Clive_Watson,
Yes, that did exactly that but still did not return the actual user committing the add action.
The following query does though when the add action is performed through PIM.
AuditLogs
| where TimeGenerated > ago (30d)
| where OperationName in ("Add eligible member to role in PIM completed (permanent)", "Add eligible member to role in PIM completed (timebound)", "Add member to role in PIM completed (permanent)", "Add member to role in PIM completed (timebound)")
| extend ['Azure AD Role Name'] = tostring(TargetResources[0].displayName)
| extend Target = tostring(TargetResources[2].userPrincipalName)
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| project TimeGenerated, OperationName, Actor, Target, ['Azure AD Role Name']
Clive_Watson thank you for your input. It really did help.
Not sure where the null info would be, but you could always at least populate a value in that field, maybe add a final line of:
| extend UserPrincipalName = iif(isempty(UserPrincipalName),Identity,UserPrincipalName)
This should add "MS-PIM" to the gaps
| extend UserPrincipalName = iif(isempty(UserPrincipalName),Identity,UserPrincipalName)
This should add "MS-PIM" to the gaps
Hi Clive_Watson,
Yes, that did exactly that but still did not return the actual user committing the add action.
The following query does though when the add action is performed through PIM.
AuditLogs
| where TimeGenerated > ago (30d)
| where OperationName in ("Add eligible member to role in PIM completed (permanent)", "Add eligible member to role in PIM completed (timebound)", "Add member to role in PIM completed (permanent)", "Add member to role in PIM completed (timebound)")
| extend ['Azure AD Role Name'] = tostring(TargetResources[0].displayName)
| extend Target = tostring(TargetResources[2].userPrincipalName)
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| project TimeGenerated, OperationName, Actor, Target, ['Azure AD Role Name']
Clive_Watson thank you for your input. It really did help.
Yes, that did exactly that but still did not return the actual user committing the add action.
The following query does though when the add action is performed through PIM.
AuditLogs
| where TimeGenerated > ago (30d)
| where OperationName in ("Add eligible member to role in PIM completed (permanent)", "Add eligible member to role in PIM completed (timebound)", "Add member to role in PIM completed (permanent)", "Add member to role in PIM completed (timebound)")
| extend ['Azure AD Role Name'] = tostring(TargetResources[0].displayName)
| extend Target = tostring(TargetResources[2].userPrincipalName)
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| project TimeGenerated, OperationName, Actor, Target, ['Azure AD Role Name']
Clive_Watson thank you for your input. It really did help.