Query Details
Audit Logs Entra ID Role Assignment
Query
// This query is too long to be in an Analytics Rule (more than 10.000 characters), so it had to be made a function that can be called by the rule. // You can find the function in the next link. // // https://github.com/ep3p/Sentinel_KQL/blob/main/Functions/Analytics-EntraIDRoleAssignments.kql // EntraIDRoleAssignments
Explanation
The query you provided is a reference to a KQL (Kusto Query Language) function named EntraIDRoleAssignments. This function is stored in a GitHub repository and is designed to be used in Microsoft Sentinel, a security information and event management (SIEM) system.
Here's a simple summary of what this setup implies:
-
Purpose: The function
EntraIDRoleAssignmentsis likely used to analyze or retrieve data related to role assignments in Entra ID (formerly known as Azure Active Directory). This could involve checking who has been assigned specific roles, when these assignments were made, or other related activities. -
Function Usage: Instead of writing a long query directly in an Analytics Rule in Microsoft Sentinel, which has a character limit, the query logic is encapsulated in a function. This makes it reusable and easier to manage.
-
GitHub Repository: The actual KQL logic for the function is stored in a GitHub repository. This allows for version control and easy sharing or updating of the query logic.
-
Integration: By calling this function within an Analytics Rule, users can efficiently incorporate complex logic into their security monitoring and analysis workflows without exceeding character limits.
In essence, this setup is about efficiently managing and utilizing complex query logic within the constraints of Microsoft Sentinel's Analytics Rules by leveraging external storage and function calls.
Details
Jose Sebastián Canós
Released: June 23, 2025
Tables
Keywords
Operators