Query Details

List All Role Additions

AD Role Additions

Query

AuditLogs
| where OperationName == 'Add member to role'
// If you do want to show PIM activations remove this filter
| where Identity != 'MS-PIM'
| extend RoleLine = tostring(extract(@'Role.DisplayName(.*?)"}', 1, tostring(TargetResources)))
| extend Role = tostring(extract(@'newValue":"\\"(.*?)\\', 1, RoleLine)), userPrincipalName = parse_json(TargetResources).[0].userPrincipalName
| project TimeGenerated, Role, OperationName, userPrincipalName, Identity

About this query

List All Role Additions

Query Information

Description

This query list all role additions that have been performed in your tenant. See the Microsoft Link for the default roles that exsits in Azure Active Directory. They contain reader, operator, administrator and other roles. It is good practice to gain insight into the roles that have been assigned to accounts. Based on this query you can build a detection for specific roles with high priviliges such as Global Admin, Security Admin or Exchange Admin.

References

Sentinel

Explanation

This query is designed to list all instances where roles have been added to user accounts within an Azure Active Directory tenant. Here's a simple breakdown of what the query does:

  1. Data Source: It pulls data from the AuditLogs, which records various activities and changes within the Azure environment.

  2. Filter by Operation: It specifically looks for operations where a member is added to a role, indicated by the OperationName being 'Add member to role'.

  3. Exclude PIM Activations: It excludes role additions that are part of Privileged Identity Management (PIM) activations by filtering out entries where the Identity is 'MS-PIM'. This is optional, and you can remove this filter if you want to include PIM activations.

  4. Extract Role Information: It extracts the display name of the role that was added using regular expressions to parse the TargetResources field.

  5. Extract User Information: It also extracts the userPrincipalName of the account to which the role was added.

  6. Select Relevant Data: Finally, it selects and displays the following information: the time the role was added (TimeGenerated), the name of the role (Role), the operation name (OperationName), the user principal name (userPrincipalName), and the identity performing the operation (Identity).

This query helps in monitoring and gaining insights into role assignments, particularly focusing on identifying when high-privilege roles like Global Admin, Security Admin, or Exchange Admin are assigned.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: November 17, 2023

Tables

AuditLogs

Keywords

AuditLogsRoleTargetResourcesUserPrincipalNameIdentityTimeGeneratedOperationName

Operators

AuditLogswhereextendtostringextractprojectparse_json

Actions

GitHub