From ac607bebf2e94dba888d2638a511ba3f2b716c2c Mon Sep 17 00:00:00 2001
From: Lodewyk-Git <36856692+Lodewyk-Git@users.noreply.github.com>
Date: Tue, 24 May 2022 17:15:47 +0200
Subject: [PATCH] Update UserAssignedPrivilegedRole.yaml

Adding a section to not alert for PIM when uncommented
---
 Detections/AuditLogs/UserAssignedPrivilegedRole.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Detections/AuditLogs/UserAssignedPrivilegedRole.yaml b/Detections/AuditLogs/UserAssignedPrivilegedRole.yaml
index 0542c7de15..685400e05c 100644
--- a/Detections/AuditLogs/UserAssignedPrivilegedRole.yaml
+++ b/Detections/AuditLogs/UserAssignedPrivilegedRole.yaml
@@ -31,6 +31,8 @@ query: |
   | where RoleName contains "Admin"
   | extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)
   | extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))
+  // Uncomment below to not alert for PIM activations
+  //| where Initiator != "MS-PIM"
   | extend Target = tostring(TargetResources.userPrincipalName)
   | summarize by bin(TimeGenerated, 1h), OperationName,  RoleName, Target, Initiator, Result
   | extend AccountCustomEntity = Target
@@ -43,5 +45,5 @@ entityMappings:
     fieldMappings:
       - identifier: FullName
         columnName: AccountCustomEntity
-version: 1.0.1
+version: 1.0.2
 kind: scheduled