Query Details
Audit Access Package Created
Query
//Detect when an Azure AD Entitlement Package is created. You may want to review to see what resources and roles have been included in the package. //Data connector required for this query - Azure Active Directory - Audit Logs AuditLogs | where TimeGenerated > ago(1d) | where OperationName == "Create access package" | where TargetResources[0].type == "AccessPackage" | extend AccessPackageName = tostring(TargetResources[0].displayName) | extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | project TimeGenerated, OperationName, AccessPackageName, Actor
Explanation
This query is looking for when an Azure AD Entitlement Package is created. It filters the audit logs to only include events from the past day and where the operation name is "Create access package". It then extracts the name of the access package and the actor who initiated the creation. The final result includes the timestamp, operation name, access package name, and actor.
Details
Matt Zorich
Released: June 17, 2022
Tables
AuditLogs
Keywords
AzureAD,EntitlementPackage,Resources,Roles,Package,DataConnector,AuditLogs,TimeGenerated,OperationName,Createaccesspackage,TargetResources,AccessPackage,AccessPackageName,Actor,InitiatedBy.user,userPrincipalName
Operators
whereago==[0]typeextendtostringparse_json.project