KQL Search

Query Details

HomeAI ToolsDevice Query

Audit Logs Azure RBAC Elevated Access Operation

Query

AuditLogs
| where LoggedByService == "Azure RBAC (Elevated Access)" and Category == "AzureRBACRoleManagementElevateAccess"// and isempty(AADOperationType)
| extend
    Initiator = iif(isnotempty(InitiatedBy["app"]), tostring(InitiatedBy["app"]["displayName"]), tostring(InitiatedBy["user"]["userPrincipalName"])),
    InitiatorId = iif(isnotempty(InitiatedBy["app"]), tostring(InitiatedBy["app"]["servicePrincipalId"]), tostring(InitiatedBy["user"]["id"])),
    IPAddress = tostring(InitiatedBy[tostring(bag_keys(InitiatedBy)[0])]["ipAddress"])
| mv-apply AdditionalDetail = AdditionalDetails on (
    summarize AdditionalDetailsBag = make_bag(bag_pack(tostring(AdditionalDetail["key"]), tostring(AdditionalDetail["value"])))
    )
| extend
    AppId = tostring(AdditionalDetailsBag["APP ID"]),
    AzureOperationName = tostring(AdditionalDetailsBag["OperationName"]),
    TargetId = replace_regex(tostring(AdditionalDetailsBag["Principal ID linked to Role Assignment"]), @"([a-f0-9]{8})([a-f0-9]{4})([a-f0-9]{4})([a-f0-9]{4})([a-f0-9]{12})", @"\1-\2-\3-\4-\5")
| project
    TimeGenerated,
    LoggedByService,
    Category,
    AADOperationType,
    Initiator,
    IPAddress,
    OperationName,
    Result,
    ResultDescription,
    AzureOperationName,
    TargetId,
    AppId,
    AdditionalDetails,
    InitiatorId,
    InitiatedBy,
    TargetResources,
    CorrelationId

Explanation

This KQL (Kusto Query Language) query is designed to analyze audit logs related to Azure Role-Based Access Control (RBAC) elevated access activities. Here's a simplified breakdown of what the query does:

  1. Filter Logs: It starts by filtering the AuditLogs table to only include entries where the action was logged by the "Azure RBAC (Elevated Access)" service and belongs to the "AzureRBACRoleManagementElevateAccess" category.

  2. Extract Initiator Information: It determines who initiated the action. If the action was initiated by an application, it extracts the application's display name and service principal ID. If initiated by a user, it extracts the user's principal name and ID.

  3. Extract IP Address: It retrieves the IP address from which the action was initiated.

  4. Process Additional Details: It processes additional details associated with each log entry. This involves creating a bag (a collection of key-value pairs) from the additional details and extracting specific information such as:

    • AppId: The application ID involved in the action.
    • AzureOperationName: The name of the Azure operation performed.
    • TargetId: The ID of the principal linked to the role assignment, formatted as a standard GUID.

  5. Select and Project Columns: Finally, it selects and projects specific columns to be included in the output, such as:

    • TimeGenerated: The time the log entry was created.
    • LoggedByService, Category, AADOperationType: Basic log details.
    • Initiator, IPAddress, OperationName, Result, ResultDescription: Information about the action and its outcome.
    • AzureOperationName, TargetId, AppId: Details extracted from additional information.
    • AdditionalDetails, InitiatorId, InitiatedBy, TargetResources, CorrelationId: Other relevant details for further analysis.

Overall, this query is used to monitor and analyze elevated access activities in Azure, providing insights into who initiated the actions, from where, and what specific operations were performed.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: June 30, 2025

Tables

AuditLogs

Keywords

AuditLogsAzureRBACAccessInitiatorIPAddressOperationNameResultAppIdTargetResourcesCorrelationId

Operators

AuditLogswhereandextendiifisnotemptytostringbag_keysmv-applysummarizemake_bagbag_packreplace_regexproject

Actions