Query Details
Audit Justifications For Self Approval PIM Requests
Query
//This query looks at the justification descriptions given for self approval per role. use this to check users are PIM'ing up for the right roles for the right tasks AuditLogs | where OperationName == "Add member to role requested (PIM activation)" | extend Role = tostring(TargetResources[0].displayName) | summarize count() by ResultReason , tostring(parse_json((InitiatedBy.user)).userPrincipalName), Role
Explanation
This query is analyzing audit logs to examine the reasons provided when users approve themselves for certain roles using Privileged Identity Management (PIM). Here's a breakdown of what the query does:
-
Data Source: It starts by looking at the
AuditLogstable, which contains records of various operations. -
Filter: It filters the logs to only include entries where the operation name is "Add member to role requested (PIM activation)." This means it focuses on instances where users are activating roles for themselves using PIM.
-
Extract Role Information: It extracts the role name from the
TargetResourcesfield and stores it in a new column calledRole. -
Summarize Data: It groups the data by the reason for the result (
ResultReason), the user's principal name (userPrincipalName), and the role name (Role). It then counts the number of occurrences for each combination.
In simple terms, this query helps you understand how often users are activating roles for themselves, which roles they are activating, and the reasons they provide for doing so. This can be useful for ensuring that users are requesting the right roles for appropriate tasks.
Details
Jay Kerai
Released: November 24, 2024
Tables
Keywords
Operators