Self added to privliged groups

Question

Can someone help me with an Sentinel Analytics Rule which alerts when someone adds himself to a privileged role. I found this one and I would like to modify it bit that it only triggers when someone adds him/herself in a privileged role:https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UserAssignedPrivilegedRole.yaml&nbsp;

mikhailf · Answer

Hello&nbsp;guidovbrakel,Could you please elaborate on the question?&nbsp;This query does&nbsp;trigger when someone adds him/herself to a&nbsp;privileged&nbsp;role (an Admin role).

guidovbrakel · Answer

Hi, I want to be alerted only when someone add himself to a PIM role, so not when someone is added to a PIM role

mikhailf · Answer

guidovbrakel&nbsp;&nbsp;Please, try this:&nbsp;&nbsp;AuditLogs| where Category =~ "RoleManagement"| where AADOperationType in ("ActivateRole")| where ActivityDisplayName has_any ("Add eligible member to role", "Add member to role")| extend DisplayName = TargetResources[0].displayName| where DisplayName contains "Admin"| extend InitiatorUser = parse_json(tostring(InitiatedBy.user)).userPrincipalName| extend TargetUser = tostring(TargetResources[2].userPrincipalName)| extend check = iif(InitiatorUser == TargetUser, "Success", "Fail")| where check == "Success"| summarize by bin(TimeGenerated, 1h), OperationName, tostring(DisplayName), TargetUser, tostring(InitiatorUser), Result&nbsp;Please, note that the query depends on your environment and there can be some changes.&nbsp;

guidovbrakel · Answer

mikhailf&nbsp;This only seems to include the activation on the role not the add.&nbsp;

mikhailf · Answer

Yes, you are right, this is activation.Did you mean "when a user provides himself with an opportunity to activate a role" -&gt; "configure role assignment for himself"?

Forum Discussion

Self added to privliged groups

7 Replies