PromptBase
Upgrade
Close icon
General
Home
Marketplace
Create
Hire
Login
Chat
Sell
Explore

Prompt Details

Model
(claude-4-6-sonnet)
Token size
581
Example input
[role_scope]: Global Administrator [time_window]: 7d [alert_threshold]: 1 [environment_label]: PROD-HEALTH
Example output
INPUTS USED: Role scope: Global Administrator Time window: 7d Alert threshold: 1 Environment label: PROD-HEALTH // ── 1. TIME SCOPE ───────────────────────────────────────────────────────────── // Adjust lookbackWindow to widen or narrow the detection period. let lookbackWindow = 7d; let alertThreshold = 1; let envLabel = "PROD-HEALTH"; // ── 2. ROLE FILTER ──────────────────────────────────────────────────────────── // Filter early on indexed columns to minimise data scanned. AuditLogs | where TimeGenerated >= ago(lookbackWindow) | where Category == "RoleManagement" | where OperationName has_any ("Add member to role", "Remove member from role") | where TargetResources has "Global Administrator" // ── 3. AGGREGATION ──────────────────────────────────────────────────────────── // Summarise to actor, target, operation and role — drop all other columns. | extend Actor = tostring(InitiatedBy.user.userPrincipalName) | extend TargetAccount = tostring(TargetResources[0].userPrincipalName) | extend RoleName = tostring(TargetResources[0].displayName) | extend Operation = OperationName | summarize EventCount = count(), LastSeen = max(TimeGenerated) by Actor, TargetAccount, Operation, RoleName | where EventCount >= alertThreshold // ── 4. OUTPUT ───────────────────────────────────────────────────────────────── // Tag each row with environment, apply severity, sort most critical first. | extend Environment = envLabel | extend Severity = case( Operation has "Add" and RoleName has "Global", "Critical", Operation has "Add", "High", Operation has "Remove", "Medium", "Low") | project LastSeen, Severity, Actor, TargetAccount, Operation, RoleName, EventCount, Environment | sort by LastSeen desc, Severity asc --- ANALYST NOTE: This query detects every addition or removal of the Global Administrator role in the last 7 days. Raise lookbackWindow to 30d for trend analysis. Reduce alertThreshold to 1 to fire on any single event. When a Critical row appears, immediately verify the change in Entra ID PIM, confirm with the initiating actor's manager, and suspend the account if the change is unauthorised.
🌀 Claude

Kql Privileged Role Change Detect

Add to Cart
Instant accessInstant access
Usage rightsCommercial use
Money-back guaranteeMoney‑back
By purchasing this prompt, you agree to our terms of service
CLAUDE-4-6-SONNET
Tested icon
Guide icon
4 examples icon
Free credits icon
Instantly generate a production-ready Sentinel KQL query that surfaces every privileged role assignment and removal across your environment. Paste in your role scope, set your time window and alert threshold, and receive a fully commented, tunable query with early filters, summarisation, and severity logic — ready to drop straight into an analytic rule or workbook.
...more
Added 3 weeks ago
Report
Browse Marketplace