Query Details
Minimum Characters For Pim Activation Justification
Query
# Minimum characters for PIM activation justification
## Description
The following query will identify PIM activation justification, that don't meet your minimum characters requirement.
### Microsoft Sentinel
```
let CharactersLength = 7; // Choose how many characters would be your mnimum justification
let Timeframe = 90d; // Choose proper timeframe
AuditLogs
| where TimeGenerated > ago(Timeframe)
| where OperationName == "Add member to role completed (PIM activation)"
| where strlen(ResultDescription) < CharactersLength
| summarize by Identity, ResultDescription
```
### Versioning
| Version | Date | Comments |
| ------------- |---------------| ---------------------------------------|
| 1.0 | 13/04/2024 | Initial publish |
Explanation
This query looks for PIM activation justifications that have less than a specified number of characters within a chosen timeframe. It identifies instances where the length of the justification is below the set minimum and provides details on the identity and description of the justification.
Details
Michalis Michalos
Released: April 13, 2024
Tables
AuditLogs
Keywords
PIM,Activation,Justification,Characters,Requirement,Timeframe,AuditLogs,OperationName,Add,Member,Role,Completed,ResultDescription,Identity,Summarize
Operators
wheresummarizeagostrlen