KQL Search

Query Details

HomeAI ToolsDevice Query

Azure Rbac Assignment Management Group

Query

id: 54ed43b6-b503-4b1a-ab83-42812f7b794a
name: Sensitive Azure RBAC added on Management Group level
description: |
  'Identifies when a sensitive Azure RBAC role is granted on Management Group-Level and shows actor as entity in the incident.'
severity: Medium
queryFrequency: 4h
queryPeriod: 4h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - InitialAccess
  - CredentialAccess
relevantTechniques:
  - T1078
  - T1110
query: |
  let SensitiveRoles = dynamic(['Owner', 'User Access Administrator']);
  CloudAppEvents
  | where Application == 'Microsoft Azure' and ObjectId contains "/providers/Microsoft.Management"
  | extend authorization = parse_json(tostring(parse_json(tostring(RawEventData.authorization))))
  | where authorization.action == "Microsoft.Authorization/roleAssignments/write"
  | extend AzureActivityId = parse_json(tostring(RawEventData)).ActivityId
  | extend ClientIPAddress = parse_json(tostring(RawEventData.httpRequest)).clientIpAddress
  | extend RoleAssignment = parse_json(tostring(parse_json(tostring(RawEventData.authorization)).evidence))
  | extend AccountUpn = parse_json(tostring(RawEventData.claims)).["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"]
  // Trigger alert if only sensitive role has been assigned
  | extend RoleName = parse_json(tostring(RoleAssignment)).role
  | extend RoleScope = parse_json(tostring(RoleAssignment)).roleAssignmentScope
  | where RoleName in (SensitiveRoles)
  | project TimeGenerated, ActionType, AccountUpn,  AccountDisplayName, AccountObjectId, ClientIPAddress, RoleName, RoleScope, RoleAssignment
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountUpn
      - identifier: AadUserId
        columnName: AccountObjectId
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: ClientIPAddress
  - entityType: AzureResource
    fieldMappings:
      - identifier: ResourceId
        columnName: RoleScope
version: 1.2.0

Explanation

This query is designed to identify when a sensitive Azure RBAC role is granted on the Management Group level. It will show the actor as an entity in the incident. The query looks for specific actions related to role assignments on the Management Group level in Azure. It then extracts relevant information such as the time generated, the account involved, the IP address, and the details of the role assignment. The query also maps the extracted information to specific entities such as accounts, IP addresses, and Azure resources. The query is set to run every 4 hours and has a medium severity level. The relevant techniques for this query are Initial Access and Credential Access.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: August 23, 2023

Tables

CloudAppEvents

Keywords

SensitiveRoles,CloudAppEvents,Application,ObjectId,RawEventData,authorization,action,Microsoft.Authorization/roleAssignments/write,AzureActivityId,ClientIPAddress,RoleAssignment,AccountUpn,RoleName,RoleScope,TimeGenerated,ActionType,AccountDisplayName,AccountObjectId,FullName,AadUserId,Address,ResourceId

Operators

whereextendparse_jsonproject

Actions