Query Details
Audit Logs Azure AD Role Assignment
Query
// This query is too long to be in an Analytics Rule (more than 10.000 characters), so it had to be made a function that can be called by the rule. // You can find the function in the next link. // // https://github.com/ep3p/Sentinel_KQL/blob/main/Functions/Analytics-AzureADRoleAssignments.kql // AzureADRoleAssignments
Explanation
| summarize count() by RoleName, RoleType, UserPrincipalName | order by count_ desc
This query is used to count the number of Azure Active Directory role assignments based on the role name, role type, and user principal name. The results are then ordered in descending order based on the count. The query is too long to be included in an Analytics Rule, so it has been made into a function that can be called by the rule. The function can be found at the provided GitHub link.
Details
Jose Sebastián Canós
Released: September 7, 2023
Tables
AzureADRoleAssignments
Keywords
Analytics,AzureADRoleAssignments,Function,Rule,Characters,Link,GitHub
Operators
extendparsetostringtoscalararg_maxcountmv-expandprojectsummarizejoinmake-seriesbinwheresortdistincttopunionparse_jsonevaluatebag_unpackrangetimestampiffcoalescestrcatpackpack_allisnullisnotnullisemptyisnotemptyarray_lengtharray_indexarray_slicearray_concatarray_joinarray_splitarray_removearray_reversearray_sortarray_ziparray_unziparray_expandarray_compressarray_containsarray_exceptarray_intersectarray_unionarray_comparearray_compare_partialarray_compare_exclusivearray_compare_inclusivearray_compare_orderedarray_compare_unorderedarray_compare_ordered_partialarray_compare_unordered_partialarray_compare_ordered_exclusivearray_compare_unordered_exclusivearray_compare_ordered_inclusivearray_compare_unordered_inclusive.