KQL Search

Query Details

HomeAI ToolsDevice Query

Added App Roles With Classification

Query

// Added API Permissions with enriched classification from EntraOps Privileged EAM
// Modified version from "Admin promotion after Role Management Application Permission Grant" (f80d951a-eddc-4171-b9d0-d616bb83efdc) and "Service Principal Assigned App Role With Sensitive Access" (dd78a122-d377-415a-afe9-f22e08d2112c) from Microsoft Sentinel Repo
let SensitiveMsGraphPermissions = externaldata(AppRoleDisplayName: string, AppRoleId: string, AppId: string, EAMTierLevelName: string, Category: string)["https://raw.githubusercontent.com/Cloud-Architekt/AzurePrivilegedIAM/main/Classification/Classification_AppRoles.json"] with(format='multijson');
AuditLogs
| where TimeGenerated >ago(90d)
| where LoggedByService =~ "Core Directory"
| where Category =~ "ApplicationManagement"
| where AADOperationType =~ "Assign"  
| where OperationName == "Add app role assignment to service principal"
| where Result =~ "success"
| mv-expand TargetResources
| mv-expand TargetResources.modifiedProperties
| extend ModifiedProperty = tostring(TargetResources_modifiedProperties.displayName)
| where ModifiedProperty =~ "AppRole.Value"
| extend AppRole = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))
| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))
| extend InitiatingUserOrAppId = iff(isnotempty(InitiatedBy.user.id),tostring(InitiatedBy.user.id), tostring(InitiatedBy.app.id))
| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))
| extend UserAgent = iff(AdditionalDetails[0].key == "User-Agent",tostring(AdditionalDetails[0].value),"")
| extend AddedPermission = replace_string(tostring(TargetResources_modifiedProperties.newValue),'"','')
| join kind=inner ( SensitiveMsGraphPermissions | project AddedPermissionClassification = EAMTierLevelName, AddedPermissionCategory = Category, AppRoleDisplayName ) on $left.AddedPermission == $right.AppRoleDisplayName
| mv-expand TargetResources.modifiedProperties | where TargetResources_modifiedProperties.displayName == "ServicePrincipal.ObjectID" | extend ServicePrincipalObjectID = replace_string(tostring(TargetResources_modifiedProperties.newValue),'"','')
| mv-expand TargetResources.modifiedProperties | where TargetResources_modifiedProperties.displayName == "ServicePrincipal.DisplayName" | extend ServicePrincipalDisplayName = replace_string(tostring(TargetResources_modifiedProperties.newValue),'"','')
| mv-expand TargetResources.modifiedProperties | where TargetResources_modifiedProperties.displayName == "ServicePrincipal.AppId" | extend ServicePrincipalAppId = replace_string(tostring(TargetResources_modifiedProperties.newValue),'"','')
| project-reorder OperationName, ServicePrincipalObjectID, ServicePrincipalDisplayName, ServicePrincipalAppId, InitiatingUserOrApp, InitiatingUserOrAppId, InitiatingIpAddress, UserAgent, AddedPermission, AddedPermissionClassification, AddedPermissionCategory

Explanation

This query retrieves audit logs related to the assignment of app roles to service principals in the Core Directory. It filters the logs based on specific criteria such as the operation type, operation name, and result. It then expands and extracts relevant properties from the logs, including the modified app role, initiating user or app details, and target service principal details. The query also joins the extracted app role with enriched classification information from an external data source. Finally, it projects and reorders the desired output columns.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: October 15, 2023

Tables

AuditLogsSensitiveMsGraphPermissions

Keywords

Devices,Intune,User,AppRoleDisplayName,AppRoleId,AppId,EAMTierLevelName,Category,AuditLogs,TimeGenerated,LoggedByService,Category,AADOperationType,OperationName,Result,TargetResources,TargetResources.modifiedProperties,ModifiedProperty,AppRole,InitiatingUserOrApp,InitiatingUserOrAppId,InitiatingIpAddress,UserAgent,AddedPermission,AddedPermissionClassification,ServicePrincipal.ObjectID,ServicePrincipal.DisplayName,ServicePrincipal.AppId.

Operators

whereletexternaldatawithformatAuditLogs|TimeGenerated>agowhereLoggedByService=~"Core Directory"Category=~"ApplicationManagement"AADOperationType=~"Assign"OperationName=="Add app role assignment to service principal"Result=~"success"mv-expandextendtostringparse_jsoniffisnotemptyjoinkind=innerprojecton$left.$right.whereTargetResources_modifiedProperties.displayName=="ServicePrincipal.ObjectID"replace_stringwhereTargetResources_modifiedProperties.displayName=="ServicePrincipal.DisplayName"whereTargetResources_modifiedProperties.displayName=="ServicePrincipal.AppId"project-reorder.

Actions