Query Details

Entra ID - Access Review Activities

Azure AD Access Reviews

Query

AuditLogs
| where Category == "Policy"
| where OperationName == "Deny decision"
| extend AccessReview = tostring(TargetResources[0].displayName)
| extend InitiatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend TargetUser = tostring(TargetResources[2].userPrincipalName)

About this query

Explanation

The query retrieves Entra ID Access Review activities from the AuditLogs in Microsoft Sentinel. It includes queries for deny decisions, approval decisions, bulk approval, delete access review, and create access review. The queries filter the logs based on the category and operation name, and extract relevant information such as access review name, initiated by user, target user, and IP address.

Details

Alex Verboon profile picture

Alex Verboon

Released: November 2, 2023

Tables

AuditLogs

Keywords

DevicesIntuneUser

Operators

whereCategory=="Policy"OperationName"Deny decision"extendAccessReview=tostring(TargetResources[0].displayName)InitiatedBytostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)TargetUsertostring(TargetResources[2].userPrincipalName)"Approve decision""Bulk Approve decisions""Delete access review"AccessReviewNameIPAddresstostring(AdditionalDetails[3].value)projectTimeGenerated"Create access review"tostring(TargetResources[1].displayName)IPAddress.

Actions

GitHub