Query Details
DCA Find Azure AD Admin Actions
Query
//Use the Defender for Cloud Apps logs to detect when an action is taken in Azure Active Directory that is considered an admin operation //Data connector required for this query - M365 Defender - CloudAppEvents //Microsoft Sentinel query CloudAppEvents | where Application == "Office 365" | extend Workload=RawEventData.Workload | where Workload == "AzureActiveDirectory" | where IsAdminOperation == "true" | project TimeGenerated, ActionType, AccountDisplayName, ActivityType, RawEventData //Advanced Hunting query //Data connector required for this query - Advanced Hunting license CloudAppEvents | where Application == "Office 365" | extend Workload=RawEventData.Workload | where Workload == "AzureActiveDirectory" | where IsAdminOperation == "1" | project Timestamp, ActionType, AccountDisplayName, ActivityType, RawEventData
Explanation
This query uses the Defender for Cloud Apps logs to identify when an admin operation is performed in Azure Active Directory. It filters the logs for events related to Office 365 and Azure Active Directory, and then selects specific fields such as the timestamp, action type, account display name, activity type, and raw event data. The same query can be run in Microsoft Sentinel or Advanced Hunting, but different data connectors are required for each.
Details
Matt Zorich
Released: March 29, 2023
Tables
CloudAppEvents
Keywords
CloudAppEvents,Office365,AzureActiveDirectory,IsAdminOperation,TimeGenerated,ActionType,AccountDisplayName,ActivityType,RawEventData,Timestamp
Operators
whereextendproject