Self added to privliged groups

Occasional Contributor
Can someone help me with an Sentinel Analytics Rule which alerts when someone adds himself to a privileged role. I found this one and I would like to modify it bit that it only triggers when someone adds him/herself in a privileged role:
7 Replies

Hello @guidovbrakel,

Could you please elaborate on the question? 

This query does trigger when someone adds him/herself to a privileged role (an Admin role).

Hi, I want to be alerted only when someone add himself to a PIM role, so not when someone is added to a PIM role

@guidovbrakel 

 

Please, try this: 

 

AuditLogs
| where Category =~ "RoleManagement"
| where AADOperationType in ("ActivateRole")
| where ActivityDisplayName has_any ("Add eligible member to role", "Add member to role")
| extend DisplayName = TargetResources[0].displayName
| where DisplayName contains "Admin"
| extend InitiatorUser = parse_json(tostring(InitiatedBy.user)).userPrincipalName
| extend TargetUser = tostring(TargetResources[2].userPrincipalName)
| extend check = iif(InitiatorUser == TargetUser, "Success", "Fail")
| where check == "Success"
| summarize by bin(TimeGenerated, 1h), OperationName, tostring(DisplayName), TargetUser, tostring(InitiatorUser), Result

 

Please, note that the query depends on your environment and there can be some changes. 

@mikhailf

 

This only seems to include the activation on the role not the add. 

Yes, you are right, this is activation.
Did you mean "when a user provides himself with an opportunity to activate a role" -> "configure role assignment for himself"?

@mikhailf

 

Configure role assignment for himself 

This is what I managed to create.
Based on this query you can add/remove different columns, etc.

AuditLogs
| where OperationName contains "Add member to role in PIM requested"
| where Category =~ "RoleManagement"
| where TargetResources[0].displayName contains "Admin"
| extend InitiatedByUser = tostring(InitiatedBy.user.userPrincipalName)
| extend TargetUser = tostring(TargetResources[2].userPrincipalName)
| extend check = iif(InitiatedByUser == TargetUser, "Success", "Fail")
| where check == "Success"
| extend RoleDisplayName = tostring(TargetResources[0].displayName)
| summarize by bin(TimeGenerated, 1h), InitiatedByUser, OperationName, TargetUser, RoleDisplayName, ResultDescription, Result

Here you can also find more information about KQL: https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/advanced-kql-framework-workbook-empow...