Forum Discussion

guidovbrakel's avatar
guidovbrakel
Brass Contributor
May 15, 2022

Self added to privliged groups

Can someone help me with an Sentinel Analytics Rule which alerts when someone adds himself to a privileged role. I found this one and I would like to modify it bit that it only triggers when someone ...
analytics
detection
KQL
kusto
guidovbrakel's avatar
guidovbrakel
Brass Contributor
May 16, 2022
Hi, I want to be alerted only when someone add himself to a PIM role, so not when someone is added to a PIM role
mikhailf's avatar
mikhailf
Steel Contributor
May 16, 2022

guidovbrakel 

 

Please, try this: 

 

AuditLogs
| where Category =~ "RoleManagement"
| where AADOperationType in ("ActivateRole")
| where ActivityDisplayName has_any ("Add eligible member to role", "Add member to role")
| extend DisplayName = TargetResources[0].displayName
| where DisplayName contains "Admin"
| extend InitiatorUser = parse_json(tostring(InitiatedBy.user)).userPrincipalName
| extend TargetUser = tostring(TargetResources[2].userPrincipalName)
| extend check = iif(InitiatorUser == TargetUser, "Success", "Fail")
| where check == "Success"
| summarize by bin(TimeGenerated, 1h), OperationName, tostring(DisplayName), TargetUser, tostring(InitiatorUser), Result

 

Please, note that the query depends on your environment and there can be some changes. 

  • guidovbrakel's avatar
    guidovbrakel
    Brass Contributor
    May 17, 2022

    mikhailf

     

    This only seems to include the activation on the role not the add. 

    • mikhailf's avatar
      mikhailf
      Steel Contributor
      May 17, 2022
      Yes, you are right, this is activation.
      Did you mean "when a user provides himself with an opportunity to activate a role" -> "configure role assignment for himself"?
      • guidovbrakel's avatar
        guidovbrakel
        Brass Contributor
        May 17, 2022

        mikhailf

         

        Configure role assignment for himself