Query Details
Audit Logs PIM Alert
Query
AuditLogs
| where LoggedByService == "PIM" and AADOperationType == "ActivateAlert"
| mv-apply AuxiliarTargetResources = TargetResources on (
summarize AlertProperties = make_bag(pack(tostring(AuxiliarTargetResources["type"]), pack("id", AuxiliarTargetResources["id"], "displayName", AuxiliarTargetResources["displayName"])))
)
| extend
AlertName = strcat("PIM alert", " - ", AlertProperties["AlertInfo"]["displayName"]),
Provider = tostring(AlertProperties["Provider"]["displayName"]),
Subscription = tostring(AlertProperties["subscription"]["displayName"])
| project
TimeGenerated,
OperationName,
AlertName,
Provider,
Subscription,
AlertProperties,
InitiatedBy,
TargetResources,
CorrelationId
Explanation
This query is looking at audit logs where the service logged is "PIM" and the operation type is "ActivateAlert". It then applies a function to the target resources to summarize the alert properties. It creates a new column called AlertName by combining "PIM alert" with the display name of the alert. It also extracts the provider and subscription display names. Finally, it projects or displays the time the event was generated, operation name, alert name, provider, subscription, alert properties, who initiated it, target resources, and the correlation ID.
Details
Jose Sebastián Canós
Released: February 10, 2023
Tables
AuditLogs
Keywords
AuditLogs,PIM,ActivateAlert,AuxiliarTargetResources,TargetResources,AlertProperties,AlertInfo,Provider,Subscription,TimeGenerated,OperationName,AlertName,InitiatedBy,CorrelationId
Operators
AuditLogswhere==mv-applyonsummarizemake_bagpacktostringextendstrcatprojectTimeGeneratedOperationNameAlertNameProviderSubscriptionAlertPropertiesInitiatedByTargetResourcesCorrelationId.