Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Self added to privliged groups

Brass Contributor
Can someone help me with an Sentinel Analytics Rule which alerts when someone adds himself to a privileged role. I found this one and I would like to modify it bit that it only triggers when someone adds him/herself in a privileged role:
7 Replies

Hello @guidovbrakel,

Could you please elaborate on the question? 

This query does trigger when someone adds him/herself to a privileged role (an Admin role).

Hi, I want to be alerted only when someone add himself to a PIM role, so not when someone is added to a PIM role



Please, try this: 


| where Category =~ "RoleManagement"
| where AADOperationType in ("ActivateRole")
| where ActivityDisplayName has_any ("Add eligible member to role", "Add member to role")
| extend DisplayName = TargetResources[0].displayName
| where DisplayName contains "Admin"
| extend InitiatorUser = parse_json(tostring(InitiatedBy.user)).userPrincipalName
| extend TargetUser = tostring(TargetResources[2].userPrincipalName)
| extend check = iif(InitiatorUser == TargetUser, "Success", "Fail")
| where check == "Success"
| summarize by bin(TimeGenerated, 1h), OperationName, tostring(DisplayName), TargetUser, tostring(InitiatorUser), Result


Please, note that the query depends on your environment and there can be some changes. 



This only seems to include the activation on the role not the add. 

Yes, you are right, this is activation.
Did you mean "when a user provides himself with an opportunity to activate a role" -> "configure role assignment for himself"?



Configure role assignment for himself 

This is what I managed to create.
Based on this query you can add/remove different columns, etc.

| where OperationName contains "Add member to role in PIM requested"
| where Category =~ "RoleManagement"
| where TargetResources[0].displayName contains "Admin"
| extend InitiatedByUser = tostring(InitiatedBy.user.userPrincipalName)
| extend TargetUser = tostring(TargetResources[2].userPrincipalName)
| extend check = iif(InitiatedByUser == TargetUser, "Success", "Fail")
| where check == "Success"
| extend RoleDisplayName = tostring(TargetResources[0].displayName)
| summarize by bin(TimeGenerated, 1h), InitiatedByUser, OperationName, TargetUser, RoleDisplayName, ResultDescription, Result

Here you can also find more information about KQL: