Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Solutions/Azure Active Directory/Analytic Rules/PIMElevationRequestRejected.yaml using wrong ActivityDisplayName #8951

Closed
quangmsft opened this issue Sep 5, 2023 · 4 comments · Fixed by #9050
Closed

Solutions/Azure Active Directory/Analytic Rules/PIMElevationRequestRejected.yaml using wrong ActivityDisplayName #8951

quangmsft opened this issue Sep 5, 2023 · 4 comments · Fixed by #9050
Assignees
@v-rbajaj @v-sudkharat
Labels
Analytic Rules

Comments

@quangmsft
Copy link

Describe the bug
This analytic rule template is querying for

AuditLogs
  | where ActivityDisplayName =~'Add member to role completed (PIM activation)'
  | where Result =~ "failure"

Which does not return any results

To Reproduce
Steps to reproduce the behavior:
Run the query in Log Analytics and get no results

Expected behavior
The query should return results for failed/rejected PIM request

Additional context
Using the query below instead would return results for rejected PIM request. This might be because the ActivityDisplayName has been updated in the logs, so where it used to be 'Add member to role completed (PIM activation)' the product has been changed and now is generating 'Add member to role request denied (PIM activation)'.

AuditLogs
| where ActivityDisplayName =~'Add member to role request denied (PIM activation)'
@github-actions
Copy link
Contributor

github-actions bot commented Sep 5, 2023

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

@v-sudkharat
Copy link
Contributor

Hi @quangmsft, thanks for flagging this issue, we will soon get back to you on this. Thanks!

@v-rbajaj
Copy link
Contributor

Hi @quangmsft, we have reached out to concerned team for this issue, we will get back to you once there is an update

@v-rbajaj
Copy link
Contributor

v-rbajaj commented Sep 20, 2023
edited
Loading

Hi @quangmsft, thanks for suggesting this change.

We have checked the documentation here could see both of them are still referenced Add member to role request denied (PIM activation) or Add member to role completed (PIM activation)

So we have decided that we will update query with the following code change and will raise a PR.

AuditLogs
 | where (ActivityDisplayName =~'Add member to role completed (PIM activation)' and Result =~ "failure") or ActivityDisplayName =~'Add member to role request denied (PIM activation)'

Since this can take some time to get live on the solution, you can update it manually for the time being.

@v-rbajaj v-rbajaj linked a pull request Sep 20, 2023 that will close this issue
Issue Fix #8951 - Update PIMElevationRequestRejected.yaml #9050
Merged
v-amolpatil added a commit that referenced this issue Sep 22, 2023
@v-amolpatil
Merge pull request #9050 from Azure/v-rbajaj/azureactivedirectory
f832c10 
Issue Fix #8951 - Update PIMElevationRequestRejected.yaml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@v-rbajaj v-rbajaj

@v-sudkharat v-sudkharat

Labels
Analytic Rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Issue Fix #8951 - Update PIMElevationRequestRejected.yaml Azure/Azure-Sentinel
4 participants
@v-amolpatil @v-rbajaj @v-sudkharat @quangmsft