KQL Search

Query Details

HomeAI ToolsDevice Query

Audit Eventsby Risky Privileged User

Query

//When a user holding a privileged role triggers an Azure AD risk event, retrieve the operations completed by that user
//Lookup the IdentityInfo table for any users holding a privileged role

//Data connector required for this query - Azure Active Directory - Audit Logs
//Data connector required for this query - Microsoft Sentinel UEBA

let privusers=
    IdentityInfo
    | where TimeGenerated > ago(21d)
    | summarize arg_max(TimeGenerated, *) by AccountUPN
    | where isnotempty(AssignedRoles)
    | where AssignedRoles != "[]"
    | distinct AccountUPN;
AADUserRiskEvents
| where TimeGenerated > ago (7d)
| where UserPrincipalName in (privusers)
| where RiskDetail != "aiConfirmedSigninSafe"
| project RiskTime=TimeGenerated, UserPrincipalName
| join kind=inner
    (
    AuditLogs
    | where TimeGenerated > ago(7d)
    | extend UserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
    )
    on UserPrincipalName
| project-rename OperationTime=TimeGenerated
| project
    RiskTime,
    OperationTime,
    ['Time Between Events']=datetime_diff("minute", OperationTime, RiskTime),
    OperationName,
    Category,
    CorrelationId

Explanation

This query retrieves the operations completed by a user holding a privileged role when they trigger an Azure AD risk event. It looks up the IdentityInfo table to find users with privileged roles, then filters the AADUserRiskEvents table to only include events triggered by those users. It also filters out events with a specific risk detail. The query then joins the filtered AADUserRiskEvents table with the AuditLogs table to get additional information about the operations. The final result includes the risk time, operation time, time between events, operation name, category, and correlation ID.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

IdentityInfoAADUserRiskEventsAuditLogs

Keywords

IdentityInfo,AccountUPN,AssignedRoles,AADUserRiskEvents,TimeGenerated,UserPrincipalName,RiskDetail,RiskTime,AuditLogs,InitiatedBy.user,OperationTime,OperationName,Category,CorrelationId

Operators

wheresummarizearg_maxbywhereisnotemptywhere!=distinctwhereTimeGenerated>agowhereTimeGenerated>agowhereUserPrincipalNameinwhereRiskDetail!=projectRiskTime=TimeGeneratedUserPrincipalNamejoinkind=innerwhereTimeGenerated>agoextendUserPrincipalName=tostringparse_jsontostringonUserPrincipalNameproject-renameOperationTime=TimeGeneratedprojectRiskTimeOperationTime['Time Between Events']=datetime_diffOperationNameCategoryCorrelationId.

Actions