Query Details
Audit Detect Active PIM Assignment
Query
//Alert when a user is assigned to a permanent active Azure AD role
//Data connector required for this query - Azure Active Directory - Audit Logs
AuditLogs
| where OperationName in ("Add member to role in PIM completed (permanent)","Add member to role in PIM completed (timebound)")
| where TargetResources[2].type == "User"
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend User = tostring(TargetResources[2].userPrincipalName)
| extend ['Azure AD Role Name'] = tostring(TargetResources[0].displayName)
| project TimeGenerated, Actor, User, ['Azure AD Role Name']
Explanation
This query is looking for audit logs in Azure Active Directory that indicate when a user is assigned to a permanent active role. It filters the logs based on specific operation names related to adding a member to a role in PIM (Privileged Identity Management). It then extracts relevant information such as the actor who initiated the action, the user being assigned the role, and the name of the Azure AD role. The final result includes the timestamp of the log entry, the actor, the user, and the Azure AD role name.
Details
Matt Zorich
Released: June 17, 2022
Tables
AuditLogs
Keywords
AuditLogs,OperationName,AddmembertoroleinPIMcompleted(permanent),AddmembertoroleinPIMcompleted(timebound),TargetResources,User,Actor,InitiatedBy.user,userPrincipalName,TargetResources[2].type,User,TargetResources[2].userPrincipalName,TargetResources[0].displayName,TimeGenerated,['AzureADRoleName']
Operators
wherein==extendtostringparse_jsonproject