KQL Search

Query Details

HomeAI ToolsDevice Query

Audit User Addedand Removedfrom Role

Query

//Detect when a user is added and removed from an Azure AD role within a short time frame

//Data connector required for this query - Azure Active Directory - Audit Logs

//Timerange = the amount of data to look back on, timeframe = the time between the role being added and removed
let timerange=7d;
let timeframe=4h;
AuditLogs
| where TimeGenerated > ago (timerange)
| where OperationName == "Add member to role"
| where Result == "success"
//Exclude role additions from Azure AD PIM
| where Identity <> "MS-PIM"
| extend User = tostring(TargetResources[0].userPrincipalName)
| extend Role = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))
| extend UserWhoAdded = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| project TimeAdded=TimeGenerated, User, Role, UserWhoAdded
| join kind=inner (
    AuditLogs
    | where TimeGenerated > ago (timerange)
    | where OperationName == "Remove member from role"
    //Exclude role removals from Azure AD PIM
    | where Result == "success"
    | where Identity <> "MS-PIM"
    | extend User = tostring(TargetResources[0].userPrincipalName)
    | extend Role = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].oldValue)))
    | extend UserWhoRemoved = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
    | project TimeRemoved=TimeGenerated, User, Role, UserWhoRemoved
    )
    on User, Role
| extend ['Time User Held Role'] = TimeRemoved - TimeAdded
| where ['Time User Held Role'] < ['timeframe']
| project
    TimeAdded,
    TimeRemoved,
    ['Time User Held Role'],
    User,
    Role,
    UserWhoAdded,
    UserWhoRemoved

Explanation

This query is used to detect when a user is added and removed from an Azure AD role within a specific time frame. It looks at the audit logs in Azure Active Directory and filters for successful "Add member to role" and "Remove member from role" operations. It excludes role additions and removals from Azure AD Privileged Identity Management (PIM). The query joins the logs for adding and removing members based on the user and role. It calculates the time the user held the role and filters for cases where the time is less than the specified timeframe. The final result includes the time of addition and removal, the duration the user held the role, the user, the role, and the users who added and removed the role.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

AuditLogs

Keywords

User,AzureAD,AuditLogs,Addmembertorole,success,MS-PIM,TargetResources,modifiedProperties,newValue,InitiatedBy,Removememberfromrole,oldvalue

Operators

agowhere==<>extendtostringparse_jsonprojectjoinon-

Actions