KQL Search

Query Details

Visualization Pim Activation

Query

# Visualization of successful PIM activiations

## Query Information

#### Description
This query visualises the PIM activation performed by accounts. A user who has used many different PIM roles may be interesting to examine. The same goes for PIM roles with high privileges. 

#### References
- https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/

## Sentinel
```
AuditLogs
| where OperationName == "Add member to role completed (PIM activation)"
| summarize count() by Identity
| sort by count_
| render columnchart
```

Explanation

This query visualizes the successful PIM activations performed by user accounts. It identifies users who have used multiple PIM roles or roles with high privileges. The query filters the audit logs for the "Add member to role completed (PIM activation)" operation, counts the number of occurrences for each user, sorts the results, and renders them in a column chart.

Details

Bert-Jan Pals

Released: February 14, 2023

Tables

AuditLogs

Keywords

AuditLogs,OperationName,Addmembertorolecompleted(PIMactivation),Identity,count_,render,columnchart

Operators

wheresummarizesort byrender

KQL Search

Visualization Pim Activation

Query

Explanation

Details

Actions