KQL Search

Query Details

Azure AD Groups

Query

# Azure Active Dirctory - Groups

## Query Information

### Description

Use the below queries to retrieve information about Azure AD Group changes

#### References

### Microsoft Sentinel

```kql
let xGroupName = 'CA-ExcludeTestUser';
AuditLogs
| where TimeGenerated > ago(360d)
| where OperationName == "Add member to group"
| extend GroupName = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))
| where GroupName == (xGroupName)
| extend InitiatedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend AddedUser = tostring(TargetResources[0].userPrincipalName)
| project TimeGenerated, GroupName, InitiatedByUser, AddedUser
```

Explanation

This query retrieves information about changes made to Azure AD groups. It specifically looks for instances where a member is added to a group. The query filters the results to only include changes made within the last 360 days and for a specific group named "CA-ExcludeTestUser". The output includes the timestamp of the change, the group name, the user who initiated the change, and the user who was added to the group.

Details

Alex Verboon

Released: September 23, 2023

Tables

AuditLogs

Keywords

Azure,Active,Directory,Groups,AuditLogs,TimeGenerated,OperationName,Add,member,group,GroupName,TargetResources,modifiedProperties,newValue,InitiatedBy,user,userPrincipalName,AddedUser,project

Operators

whereextendparse_jsontostringago==|project

KQL Search

Azure AD Groups

Query

Explanation

Details

Actions