KQL Search

Query Details

HomeAI ToolsDevice Query

Audit Justifications For PIM Requests

Query

//This query looks at the justification descriptions given for approval per role. use this to check users are PIM'ing up for the right roles for the right tasks
// Where users have repeated the same justification over and over could indicate that they may have tried to script their PIM elevations. #TODO join "Add member to role request approved (PIM activation)" to pull approver (RequestID = tostring(AdditionalDetails[7].value))
AuditLogs
| where TimeGenerated > ago(90d)
| where OperationName == "Add member to role requested (PIM activation)"
| extend Role = tostring(TargetResources[0].displayName)
| extend TicketNumber = tostring(AdditionalDetails[7].value)
| summarize by ResultReason , tostring(parse_json((InitiatedBy.user)).userPrincipalName), Role, TicketNumber

Explanation

This KQL (Kusto Query Language) query is designed to analyze audit logs related to role activation requests in a Privileged Identity Management (PIM) system. Here's a simple breakdown of what the query does:

  1. Data Source: It starts by looking at the AuditLogs table.

  2. Time Filter: The query filters the logs to include only those generated in the last 90 days.

  3. Operation Filter: It specifically looks for logs where the operation name is "Add member to role requested (PIM activation)," which indicates requests to activate a role.

  4. Extract Information:

    • It extracts the role name from the TargetResources field.
    • It extracts a ticket number from the AdditionalDetails field.

  5. Summarization: The query summarizes the data by:

    • The reason for the result (ResultReason).
    • The user who initiated the request, identified by their user principal name.
    • The role they requested to activate.
    • The ticket number associated with the request.

  6. Purpose: The goal is to review the justifications provided for role activations to ensure users are requesting the correct roles for appropriate tasks. Repeated justifications might suggest that users are automating their role activation requests, which could be a concern.

  7. Future Enhancement: There's a note to join this data with another log entry type ("Add member to role request approved") to include information about who approved the request, using the RequestID for matching.

Overall, this query helps in auditing and ensuring the proper use of role activation requests within a PIM system.

Details

Jay Kerai profile picture

Jay Kerai

Released: November 30, 2024

Tables

AuditLogs

Keywords

AuditLogsTimeGeneratedOperationNameRoleTicketNumberResultReasonUserPrincipalName

Operators

whereextendsummarizebyagotostringparse_json

Actions