Feb 23 2023 10:32 AM
Hello,
I posted previously, a similar query about HOW do you extract details about the user who initiated the action to ADD a new privileged role to ANOTHER user?
I have simplified my BASE query to this...
AuditLogs
| where TimeGenerated between (ago(90d) ..now())
| where OperationName == "Add member to role"
| extend UserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend UserAdded = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].userPrincipalName)))))
| extend RoleAdded = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))
The query WORKS but:
| extend UserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
...sometimes returns BLANK when ADDING a new privileged role has been completed through AD PIM. It tries to return the Service Principal and return a NULL value.
Now as the initiating user has completed the ACTION through AD PIM, how can I extract their details?
Now when the ADD action is done outside AD PIM, it returns the UPN (User Principle Name).
Feb 28 2023 12:52 PM
Mar 01 2023 01:00 AM
Mar 01 2023 08:10 AM
SolutionMar 01 2023 08:10 AM
Solution