EXPLORE
Sign In
← Back to Explore
kqlHunting

Audit Justifications for PIM Requests

This query looks at the justification descriptions given for approval per role. use this to check users are PIM'ing up for the right roles for the right tasks

Detection Query

//This query looks at the justification descriptions given for approval per role. use this to check users are PIM'ing up for the right roles for the right tasks
// Where users have repeated the same justification over and over could indicate that they may have tried to script their PIM elevations. #TODO join "Add member to role request approved (PIM activation)" to pull approver (RequestID = tostring(AdditionalDetails[7].value))
AuditLogs
| where TimeGenerated > ago(90d)
| where OperationName == "Add member to role requested (PIM activation)"
| extend Role = tostring(TargetResources[0].displayName)
| extend TicketNumber = tostring(AdditionalDetails[7].value)
| summarize by ResultReason , tostring(parse_json((InitiatedBy.user)).userPrincipalName), Role, TicketNumber

Data Sources

AuditLogs

Platforms

azure-ad

Tags

entra
Raw Content
//This query looks at the justification descriptions given for approval per role. use this to check users are PIM'ing up for the right roles for the right tasks
// Where users have repeated the same justification over and over could indicate that they may have tried to script their PIM elevations. #TODO join "Add member to role request approved (PIM activation)" to pull approver (RequestID = tostring(AdditionalDetails[7].value))
AuditLogs
| where TimeGenerated > ago(90d)
| where OperationName == "Add member to role requested (PIM activation)"
| extend Role = tostring(TargetResources[0].displayName)
| extend TicketNumber = tostring(AdditionalDetails[7].value)
| summarize by ResultReason , tostring(parse_json((InitiatedBy.user)).userPrincipalName), Role, TicketNumber