May 15 2022 10:58 PM
May 16 2022 03:59 AM
Hello @guidovbrakel,
Could you please elaborate on the question?
This query does trigger when someone adds him/herself to a privileged role (an Admin role).
May 16 2022 04:30 AM
May 16 2022 06:42 AM
Please, try this:
AuditLogs
| where Category =~ "RoleManagement"
| where AADOperationType in ("ActivateRole")
| where ActivityDisplayName has_any ("Add eligible member to role", "Add member to role")
| extend DisplayName = TargetResources[0].displayName
| where DisplayName contains "Admin"
| extend InitiatorUser = parse_json(tostring(InitiatedBy.user)).userPrincipalName
| extend TargetUser = tostring(TargetResources[2].userPrincipalName)
| extend check = iif(InitiatorUser == TargetUser, "Success", "Fail")
| where check == "Success"
| summarize by bin(TimeGenerated, 1h), OperationName, tostring(DisplayName), TargetUser, tostring(InitiatorUser), Result
Please, note that the query depends on your environment and there can be some changes.
May 17 2022 12:17 AM
May 17 2022 12:24 AM
May 17 2022 12:30 AM
May 17 2022 01:35 AM