KQL Search

Query Details

HomeAI ToolsDevice Query

Audit New Privileged Actions

Query

//Find new operations completed by your privileged Azure AD users not seen before

//Data connector required for this query - Azure Active Directory - Audit Logs
//Data connector required for this query - Microsoft Sentinel UEBA

//Lookup the IdentityInfo table for any users holding a privileged role
let privusers=
    IdentityInfo
    | where TimeGenerated > ago(21d)
    | summarize arg_max(TimeGenerated, *) by AccountUPN
    | where isnotempty(AssignedRoles)
    | where AssignedRoles != "[]"
    | distinct AccountUPN;
//Find actions taken by those users previously
AuditLogs
| where TimeGenerated > ago(90d) and TimeGenerated < ago(1d)
| extend UserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| where isnotempty(UserPrincipalName)
| where UserPrincipalName in (privusers)
| distinct UserPrincipalName, OperationName
//Find any new actions taken in the last day not seen before from that user
| join kind=rightanti (
    AuditLogs
    | where TimeGenerated > ago(1d)
    | extend UserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
    | where UserPrincipalName in (privusers)
    | where isnotempty(UserPrincipalName)
    )
    on UserPrincipalName, OperationName
| project TimeGenerated, UserPrincipalName, OperationName, Category, CorrelationId

Explanation

This query is looking for new operations completed by privileged Azure AD users that have not been seen before. It first looks up the IdentityInfo table to find users holding privileged roles within the last 21 days. Then, it searches the AuditLogs for actions taken by those users in the last 90 days but not within the last day. It joins this data with the AuditLogs from the last day to find any new actions taken by those users that have not been seen before. The resulting data includes the time the operation was generated, the user's principal name, the operation name, category, and correlation ID.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

IdentityInfoAuditLogs

Keywords

IdentityInfo,AccountUPN,AssignedRoles,AuditLogs,TimeGenerated,InitiatedBy.user,UserPrincipalName,OperationName,Category,CorrelationId

Operators

letsummarizebywhereagoisnotempty!=distinctextendtostringparse_jsoninjoinkind=rightantionproject

Actions