← Back to Explore
kqlHunting
Global Admin Elevations To User Access Administrator at Root Level
Detection Query
AuditLogs
| where OperationName == "User has elevated their access to User Access Administrator for their Azure Resources"
| extend User = tostring(InitiatedBy.user.userPrincipalName)
| extend IP = tostring(InitiatedBy.user.ipAddress)Data Sources
AuditLogs
Platforms
azure-ad
Tags
entra
Raw Content
AuditLogs
| where OperationName == "User has elevated their access to User Access Administrator for their Azure Resources"
| extend User = tostring(InitiatedBy.user.userPrincipalName)
| extend IP = tostring(InitiatedBy.user.ipAddress)