Query Details

Privileged Group Membership Change via Provisioning

04 AAD Prov Privileged Group Change

Query

AADProvisioningLogs
| where TimeGenerated > ago(2h)
| where ResultType =~ "Success"
| extend Target     = tostring(parse_json(TargetIdentity).displayName)
| extend TargetType = tostring(parse_json(TargetIdentity).IdentityType)
| extend Modified   = tostring(ModifiedProperties)
| where TargetType =~ "Group" or Target has_any ("Admin","Tier0","Sensitive","Privileged","PIM")
| where Modified has_any ("members","memberOf","Members","appRoleAssignments","directoryRoles")
| extend SPName       = tostring(parse_json(ServicePrincipal).Name)
| extend InitiatorUpn = tostring(parse_json(InitiatedBy).userPrincipalName)
| extend InitiatorApp = tostring(parse_json(InitiatedBy).displayName)
| project TimeGenerated, JobId, CycleId, ChangeId, SPName,
          Initiator = coalesce(InitiatorUpn, InitiatorApp),
          TargetGroup = Target,
          OperationName, ProvisioningAction, ModifiedProperties
| order by TimeGenerated desc

Explanation

This query is designed to detect changes in membership of privileged groups through provisioning operations, which is unusual and could indicate a security threat. Here's a simple breakdown:

  1. Purpose: The query identifies when membership of important security groups (like Domain Admins, Global Administrators, or any group with names containing Admin, Tier0, Sensitive, etc.) is altered via provisioning processes. Such changes are not typical and should be investigated immediately.

  2. Data Source: It uses logs from Azure Active Directory, specifically the AADProvisioningLogs.

  3. Frequency: The query runs every hour and checks for changes made in the last two hours.

  4. Severity: The alert generated by this query is marked as high severity due to the potential security implications.

  5. Detection Logic:

    • It looks for successful provisioning operations.
    • It checks if the target of these operations is a group with a name indicating high privilege.
    • It examines if the changes involve group membership or role assignments.
  6. Output: The query lists details like the time of change, the service principal name, the initiator of the change, the target group, and the type of operation performed.

  7. Alerting: If such a change is detected, an alert is generated with a specific format, highlighting the service and group involved.

  8. Incident Management: The system can create incidents for these alerts, grouping them by the cloud application involved, to help manage and investigate potential security incidents efficiently.

Overall, this query helps in monitoring and securing privileged group memberships by flagging unusual provisioning activities that could be indicative of unauthorized access or privilege escalation attempts.

Details

David Alonso profile picture

David Alonso

Released: June 1, 2026

Tables

AADProvisioningLogs

Keywords

ProvisioningOperationsPrivilegedGroupMembershipAzureActiveDirectoryCloudApplicationAccount

Operators

ago()=~parse_json()tostring()has_any()coalesce()projectorder by

Severity

High

Tactics

PrivilegeEscalationPersistence

MITRE Techniques

Frequency: 1h

Period: 2h

Actions

GitHub