Query Details

Added Owner To Application For Unprivileged

Query

// Owner added to high privileged application to unprivileged or lower privileged user
  AuditLogs
  | where TimeGenerated >ago(365d)
  | where OperationName in ("Add owner to application","Add owner to service principal")
  | extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))
  | extend InitiatingUserOrAppId = iff(isnotempty(InitiatedBy.user.id),tostring(InitiatedBy.user.id), tostring(InitiatedBy.app.id))
  | extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))
  | mv-expand TargetResources
  | mv-expand TargetResources.modifiedProperties | where TargetResources_modifiedProperties.displayName == "Application.ObjectID" | extend ApplicationObjectID = replace_string(tostring(TargetResources_modifiedProperties.newValue),'"','')
  | mv-expand TargetResources.modifiedProperties | where TargetResources_modifiedProperties.displayName == "Application.DisplayName" | extend ApplicationDisplayName = replace_string(tostring(TargetResources_modifiedProperties.newValue),'"','')
  | mv-expand TargetResources.modifiedProperties | where TargetResources_modifiedProperties.displayName == "Application.AppId" | extend ApplicationAppId = replace_string(tostring(TargetResources_modifiedProperties.newValue),'"','')
  | extend AddedOwnerId = tostring(TargetResources.id)
  | join kind=inner(
    AzADSPI
    | project-rename AppClassification = EnterpriseAccessModelTiering
    ) on $left.ApplicationObjectID == $right.ApplicationObjectId  
  | join kind=inner (
    PrivilegedEAM_CL
        | where TimeGenerated > ago(14d)
        | summarize arg_max(TimeGenerated, *) by ObjectId
        | extend AddedOwnerClassification = iff(isnotempty(parse_json(Classification)), parse_json(Classification), "UserAccess")
        | project ObjectId, ObjectAdminTierLevel, ObjectAdminTierLevelName, AddedOwnerClassification, AddedOwnerUserPrincipalName = ObjectUserPrincipalName, AddedOwnerDisplayName = ObjectDisplayName
    ) on $left.AddedOwnerId == $right.ObjectId
| where parse_json(tostring(parse_json(AddedOwnerClassification))) !contains AppClassification and (parse_json(tostring(parse_json(AddedOwnerClassification))) !contains "ControlPlane")
| project-reorder OperationName, ApplicationObjectID, ApplicationDisplayName, ApplicationAppId, AppClassification, InitiatingUserOrApp, InitiatingUserOrAppId, InitiatingIpAddress, AddedOwnerId, AddedOwnerClassification, AddedOwnerUserPrincipalName, AddedOwnerDisplayName

Explanation

This query is designed to identify instances where a user with lower privileges is added as an owner to a high-privileged application or service principal. Here's a simplified breakdown of what the query does:

  1. Data Source: It starts by looking at audit logs from the past year (365 days) to find operations where an owner was added to an application or service principal.

  2. Initiator Details: It extracts details about who initiated the operation, including their username, ID, and IP address.

  3. Target Application Details: It expands and extracts details about the target application, such as its Object ID, Display Name, and App ID.

  4. Application Classification: It joins this data with another dataset (AzADSPI) to get the classification of the application, which indicates its privilege level.

  5. Owner Classification: It further joins with a dataset (PrivilegedEAM_CL) to get details about the newly added owner, including their classification and privilege level.

  6. Filter Criteria: It filters out cases where the classification of the added owner does not match the application's classification and is not related to "ControlPlane" access.

  7. Output: Finally, it organizes the results to show key details such as the operation name, application details, initiator details, and the added owner's details and classification.

In essence, this query helps identify potential security concerns where lower-privileged users are granted ownership of high-privileged applications, which could indicate a misconfiguration or a security risk.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: October 28, 2023

Tables

AuditLogsAzADSPIPrivilegedEAM_CL

Keywords

AuditLogsApplicationServicePrincipalUserAppIpAddressTargetResourcesApplicationObjectIDApplicationDisplayNameApplicationAppIdAzADSPIEnterpriseAccessModelTieringPrivilegedEAMObjectIdObjectAdminTierLevelObjectAdminTierLevelNameUserAccessControlPlaneOperationName

Operators

//|where>agoinextendiffisnotemptytostringmv-expand==replace_stringjoinkind=innerproject-renameonsummarizearg_maxbyparse_json!containsandproject-reorder

Actions

GitHub