Query Details
Audit Detect New Privileged Group Added
Query
//Detect when a group is added to Azure AD with the 'Azure AD roles can be assigned to this group' flag enabled //Data connector required for this query - Azure Active Directory - Audit Logs AuditLogs | where TimeGenerated > ago(90d) | where OperationName == "Add group" | where parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName == "IsAssignableToRole" | where parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))[0] == true | extend GroupName = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0].newValue))[0]) | extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | extend ['Actor IP Address'] = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) | project TimeGenerated, OperationName, GroupName, Actor, ['Actor IP Address']
Explanation
This query detects when a group is added to Azure AD with the 'Azure AD roles can be assigned to this group' flag enabled. It uses the Azure Active Directory - Audit Logs data connector. The query filters the audit logs to include only events from the past 90 days and where the operation is "Add group". It then checks if the "IsAssignableToRole" flag is set to true for the group. The query extracts the group name, actor (user who initiated the action), and actor's IP address. The final result includes the timestamp, operation name, group name, actor, and actor's IP address.
Details
Matt Zorich
Released: June 23, 2022
Tables
AuditLogs
Keywords
AuditLogs,TimeGenerated,OperationName,TargetResources,modifiedProperties,displayName,IsAssignableToRole,newValue,GroupName,Actor,InitiatedBy,user,userPrincipalName,ipAddress
Operators
where>ago()==parse_json()tostring()[0].newValueextendproject