How to correlate audit logs of Privileged Identity Management in Azure?
I am looking for a way to bundle the individual log entries inside the Privileged Identity Management audit logs by the workflow they belong to.
Every action (like request -> approval -> completion) is a separate entry in the audit logs, and simply grouping by requester and role is not helpful e.g. in case the same person requests something multiple times.
There is a CorrelationId field in every audit log but that is not the same for all steps from the workflow.
I found this in the docs, but that is not helpful for automatic processing:
Typically, the log event immediately above the approval event is an event for "Add member to role completed" where the Initiated by (actor) is the requester. In most cases, you won't need to find the requester in the approval request from an auditing perspective.
Is there another way that I am overlooking?
You could do that by using the Request Id from the Target(s). All actions (request->approval->completion) use the same Request Id.
[
]