Forum Discussion

  • mikhailf's avatar
    mikhailf
    Steel Contributor

    Hello guidovbrakel,

    Could you please elaborate on the question? 

    This query does trigger when someone adds him/herself to a privileged role (an Admin role).

    • guidovbrakel's avatar
      guidovbrakel
      Brass Contributor
      Hi, I want to be alerted only when someone add himself to a PIM role, so not when someone is added to a PIM role
      • mikhailf's avatar
        mikhailf
        Steel Contributor

        guidovbrakel 

         

        Please, try this: 

         

        AuditLogs
        | where Category =~ "RoleManagement"
        | where AADOperationType in ("ActivateRole")
        | where ActivityDisplayName has_any ("Add eligible member to role", "Add member to role")
        | extend DisplayName = TargetResources[0].displayName
        | where DisplayName contains "Admin"
        | extend InitiatorUser = parse_json(tostring(InitiatedBy.user)).userPrincipalName
        | extend TargetUser = tostring(TargetResources[2].userPrincipalName)
        | extend check = iif(InitiatorUser == TargetUser, "Success", "Fail")
        | where check == "Success"
        | summarize by bin(TimeGenerated, 1h), OperationName, tostring(DisplayName), TargetUser, tostring(InitiatorUser), Result

         

        Please, note that the query depends on your environment and there can be some changes. 

Resources