Query Details
Azure Resource IAM Access Delgation
Query
let AzureRoles = _GetWatchlist("AzureRoleData");
AzureActivity
| where OperationNameValue == "MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE"
| extend Assigner = Caller
| extend Assignee = Claims_d.["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"]
| extend GroupID = split(parse_json(tostring(parse_json(tostring(Properties_d.requestbody)).Properties)).RoleDefinitionId, "/")[-1]
| extend GroupIDAsString = tostring(GroupID)
| extend ResourceName = split(parse_json(tostring(parse_json(tostring(Properties_d.requestbody)).Properties)).Scope, "/")[-1]
| where isnotempty(ResourceName)
| join kind=inner (
AzureActivity
| extend GroupIDAsString = tostring(split(parse_json(tostring(parse_json(tostring(Properties_d.requestbody)).Properties)).RoleDefinitionId, "/")[-1])
) on GroupIDAsString
| join kind=inner AzureRoles on $left.GroupIDAsString == $right.SearchKey
| project RoleName,Assigner,Assignee,ResourceNameExplanation
This query looks at Azure activity related to role assignments. It filters for a specific operation, extracts relevant information like the assigner and assignee, and then joins this data with a watchlist of Azure roles to show the role name, assigner, assignee, and resource name.
Details
Gordon Wallum
Released: June 7, 2024
Tables
AzureActivityAzureRoles
Keywords
AzureActivity,OperationNameValue,Caller,Claims,GroupID,RoleDefinitionId,Properties,Scope,ResourceName,AzureRoles,SearchKey,RoleName,Assigner,Assignee.
Operators
whereextendsplitparse_jsontostringisnotemptyjoinkindproject