Query Details
Audit Detect PIM Activations Outside Working Hours
Query
//Detect Azure AD PIM activiations outside of working hours //Data connector required for this query - Azure Active Directory - Audit Logs let timerange=30d; AuditLogs // extend LocalTime to your time zone | extend LocalTime=TimeGenerated + 5h | where LocalTime > ago(timerange) // Change hours of the day to suit your company, i.e this would find activations between 6pm and 6am | where hourofday(LocalTime) !between (6 .. 18) | where OperationName == "Add member to role completed (PIM activation)" | extend User = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | extend ['Azure AD Role Name'] = tostring(TargetResources[0].displayName) | project LocalTime, User, ['Azure AD Role Name'], ['Activation Reason']=ResultReason
Explanation
This query is used to detect Azure AD PIM activations that occur outside of working hours. It uses the Azure Active Directory - Audit Logs data connector. The query filters the audit logs based on a specified time range and then adjusts the time to the local time zone. It further filters the logs to find activations that occur outside of a specific time range (e.g., between 6pm and 6am). It specifically looks for the "Add member to role completed (PIM activation)" operation and extracts the user and role information. The query then projects the local time, user, role name, and activation reason for the results.
Details
Matt Zorich
Released: June 17, 2022
Tables
AuditLogs
Keywords
Devices,Intune,User,AzureADPIM,AuditLogs
Operators
extendwhere!between==tostringparse_jsonextendproject