Alerts Correlation KQL

Alon Keilin 141 Reputation points

Hi team,
I have implemented the following alert:

User Assigned Privileged Role


| where Category =~ "RoleManagement"
| where AADOperationType in ("Assign", "AssignEligibleRole")
| where ActivityDisplayName has_any ("Add eligible member to role", "Add member to role")
| mv-expand TargetResources
| mv-expand TargetResources.modifiedProperties
| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)
| where displayName_ =~ "Role.DisplayName"
| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))
| where RoleName contains "Admin"
| extend InitiatingApp = tostring(parse_json(tostring(
| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))
// Uncomment below to not alert for PIM activations
//| where Initiator != "MS-PIM"
| extend Target = tostring(TargetResources.userPrincipalName)
| summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result
| extend AccountCustomEntity = Target

How can I make a correlation that this alert will be raised only when the user in question is involved in a further alert?

Thank you

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,476 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
859 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Maxim Sergeev 6,556 Reputation points Microsoft Employee

    Hi there,

    As an idea - you can trigger the query from another alert rule as a webhook and share results via the trigger (LogicApps for example)

    0 comments No comments