Audit Logs Azure RBAC Elevated Access
Query
AuditLogs
| where Category == "AzureRBACRoleManagementElevateAccess" or LoggedByService has_any ("Azure RBAC", "Elevated Access")Explanation
This KQL (Kusto Query Language) query is searching through the AuditLogs table to find specific entries related to Azure role-based access control (RBAC) activities. It filters the logs to include only those entries where:
- The
Categoryis exactly "AzureRBACRoleManagementElevateAccess", which suggests actions related to elevating access permissions in Azure RBAC. - The
LoggedByServicefield contains either "Azure RBAC" or "Elevated Access", indicating that the log entry was recorded by services related to Azure RBAC or elevated access activities.
In simple terms, this query is looking for logs that involve elevating access permissions in Azure's role-based access control system.
Details

Jose Sebastián Canós
Released: February 3, 2025
Tables
AuditLogs
Keywords
AuditLogsAzureRBACRoleManagementElevateAccessAzureRBACElevatedAccess
Operators
AuditLogs|where==orhas_any