Query Details
Audit New PIM Role Activated
Query
//Detect when a user activates an Azure AD PIM role never seen by them before
//Data connector required for this query - Azure Active Directory - Audit Logs
AuditLogs
| where TimeGenerated > ago(180d) and TimeGenerated < ago(1d)
| where OperationName == "Add member to role completed (PIM activation)"
| extend User = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend ['Azure AD Role Name'] = tostring(TargetResources[0].displayName)
| distinct User, ['Azure AD Role Name']
| join kind=rightanti (
AuditLogs
| where TimeGenerated > ago(1d)
| where OperationName == "Add member to role completed (PIM activation)"
| extend User = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend ['Azure AD Role Name'] = tostring(TargetResources[0].displayName)
)
on User, ['Azure AD Role Name']
| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
| project TimeGenerated, User, ['Azure AD Role Name']Explanation
This query detects when a user activates an Azure AD PIM (Privileged Identity Management) role that they have never seen before. It uses the Azure Active Directory - Audit Logs data connector. The query filters the audit logs for the past 180 days to 1 day ago and looks for the operation of adding a member to a role completed for PIM activation. It retrieves the user's email and the name of the Azure AD role. It then joins this data with the audit logs from the past day to exclude any roles that the user has seen before. The final result includes the timestamp, user email, and the name of the newly activated role.
Details
Matt Zorich
Released: June 17, 2022
Tables
AuditLogs
Keywords
Keywords:AuditLogs,TimeGenerated,OperationName,Addmembertorolecompleted(PIMactivation),InitiatedBy.user,userPrincipalName,TargetResources,displayName,User,AzureADRoleName,IPAddress,project
Operators
whereand==extendtostringparse_jsondistinctjoinkind=rightantionproject