KQL Search

Query Details

HomeAI ToolsDevice Query

Audit Logs Azure RBAC Elevated Access

Query

AuditLogs
| where Category == "AzureRBACRoleManagementElevateAccess" or LoggedByService has_any ("Azure RBAC", "Elevated Access")

Explanation

This KQL (Kusto Query Language) query is searching through the AuditLogs table to find specific entries related to Azure role-based access control (RBAC) activities. It filters the logs to include only those entries where:

  1. The Category is exactly "AzureRBACRoleManagementElevateAccess", which suggests actions related to elevating access permissions in Azure RBAC.
  2. The LoggedByService field contains either "Azure RBAC" or "Elevated Access", indicating that the log entry was recorded by services related to Azure RBAC or elevated access activities.

In simple terms, this query is looking for logs that involve elevating access permissions in Azure's role-based access control system.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: February 3, 2025

Tables

AuditLogs

Keywords

AuditLogsAzureRBACRoleManagementElevateAccessAzureRBACElevatedAccess

Operators

AuditLogs|where==orhas_any

Actions