# Overview

> **SCU Cost Estimate** 
>
> This agent typically consumes **\~0,3 SCUs** per analysis run, depending on the time window analyzed and volume of PIM activations in your environment.

### Introduction

PIM Insights gives you complete visibility into privileged access in your organization. If you've ever needed to answer "who activated Global Administrator this week?" or "are there failed PIM activation attempts that could be attacks?", this agent is for you. It analyzes all PIM role activations, reconstructs detailed timelines of privileged access, identifies anomalies and failed attempts, and provides security risk assessment with actionable recommendations.

<figure><img src="/files/B0rcCxuCyZz6jzSr48D5" alt=""><figcaption></figcaption></figure>

<div><figure><img src="/files/z5Kx8vRzoiCNCRWXibot" alt=""><figcaption></figcaption></figure> <figure><img src="/files/oCK9xkFyiq7CflPSaEum" alt=""><figcaption></figcaption></figure> <figure><img src="/files/cMZJX5giX8IUCcnZYNaV" alt=""><figcaption></figcaption></figure></div>

### What It Does

* **Reconstructs Global Administrator timelines** minute by minute showing who accessed when and why
* **Analyzes failed PIM activations** to identify potential attacks or unauthorized access attempts
* **Tracks all role activations** with comprehensive usage statistics
* **Validates activation reasons** for compliance with justification requirements
* **Detects anomalies** in privileged access patterns (unusual times, locations, frequency)
* **Correlates identity risk data** showing risky users who have privileged access
* **Analyzes sign-in patterns** before and after role activations
* **Provides risk assessment** with severity scoring and prioritized recommendations
* **Generates Azure Workbooks** for ongoing PIM monitoring (optional)
* **Creates compliance reports** ready for audit review

### Use Cases

#### 1. Global Administrator Access Audit

You need to know who has been using Global Administrator privileges and why. PIM Insights reconstructs a complete timeline of all Global Admin activations with exact timestamps, user identities, activation reasons, and session durations. Perfect for compliance audits, security reviews, or investigating suspicious activity.

#### 2. Detecting Unauthorized Access Attempts

Someone is trying to activate privileged roles without proper authorization. PIM Insights analyzes all failed activation attempts, correlates with user behavior and identity risk, and highlights potential attack indicators (brute force attempts, risky users trying to elevate, suspicious patterns). Catch threats before they succeed.

#### 3. PIM Compliance Reporting

Your security or compliance team needs a report on privileged access for the quarter. The agent generates a comprehensive report showing all activations, validates that users provided proper justifications, identifies any compliance violations (activations without reasons, excessive durations, etc.), and summarizes role usage statistics.

#### 4. Anomaly Detection in Privileged Access

You want to know if privileged access patterns are unusual. PIM Insights detects anomalies like activations at odd hours, from unusual locations, by users who rarely use privileges, or with abnormal frequency. Get alerts about suspicious behavior patterns that might indicate compromised accounts.

#### 5. Ongoing PIM Monitoring

You need continuous visibility into privileged access, not just one-time reports. The agent can generate Azure Workbook configurations that you deploy for real-time PIM monitoring dashboards. Track activation trends, failed attempts, and compliance metrics over time.

### Why PIM Insights?

| The Problem You're Dealing With                                                                          | How This Helps                                                                                  |
| -------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- |
| **Global Admin access is invisible**: No easy way to see who's been using the most powerful role         | **Complete timelines**: Minute-by-minute reconstruction of all Global Administrator activations |
| **Failed attempts go unnoticed**: Potential attacks hidden in audit logs                                 | **Failed activation analysis**: All failed attempts highlighted with risk assessment            |
| **Compliance is manual work**: Auditors want privileged access reports and you're manually building them | **Ready-made reports**: Comprehensive compliance documentation automatically generated          |
| **Anomalies are hard to spot**: Unusual privileged access patterns get lost in the noise                 | **Anomaly detection**: Automated identification of suspicious activation patterns               |
| **No ongoing visibility**: You can pull logs, but there's no dashboard for continuous monitoring         | **Azure Workbooks**: Optional monitoring dashboards for real-time PIM visibility                |
| **Risk context is missing**: Don't know if risky users have privileged access                            | **Identity risk correlation**: Shows which risky users have elevated privileges                 |

### How It Works

**What goes in:**

* Time window for analysis (e.g., last 7 days, last 30 days)
* Optional: Focus on specific role (e.g., Global Administrator)
* Optional: Report format preferences
* Optional: Azure Workbook generation flag
* PIM activation logs and audit data
* Identity risk events and risky user data
* Sign-in logs before and after activations
* User authentication methods and MFA status

**What it does:**

* Retrieves all PIM role activations within the time window
* Analyzes failed activation attempts and correlates with identity risk
* Reconstructs minute-by-minute timeline for Global Administrator (and other roles)
* Validates activation reasons against compliance requirements
* Performs advanced hunting for anomalous patterns (time, location, frequency)
* Enriches findings with identity risk data and sign-in analysis
* Calculates risk scores for privileged access activities
* Generates prioritized remediation recommendations
* Creates Azure Workbook configuration (if requested)

**What you get:**

* Executive summary with key findings and overall risk assessment
* Global Administrator minute-by-minute timeline (who, when, why, duration)
* Failed activation analysis with potential attack indicators
* Role usage statistics (activation counts by role and user)
* Activation reason compliance analysis (missing justifications, policy violations)
* Anomaly detection results (unusual times, locations, frequencies)
* Identity risk assessment (risky users with privileged access)
* Sign-in pattern analysis before and after activations
* Threat intelligence findings correlated with activations
* Risk-based recommendations prioritized by severity
* Optional: Azure Workbook configuration for ongoing monitoring
* Compliance-ready report suitable for audit documentation


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://agents.glueckkanja.com/agents/pim-insights/overview.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.