KQL Search

Query Details

HUNT 08 AAD Prov Role Assignable Group Changes 30d

Query

id: aa1f0008-2008-4208-9208-aadprov-hunt08
name: HUNT-08 Provisioning of Role-Assignable Groups (30d)
description: |
  Provisioning operations that touched role-assignable groups (`IsAssignableToRole = true`).
  Membership changes to role-assignable groups effectively grant directory roles,
  so flowing them through the provisioning channel is highly anomalous and
  worth a manual review.
severity: High
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AADProvisioningLogs
tactics:
  - PrivilegeEscalation
  - Persistence
relevantTechniques:
  - T1098
query: |
  AADProvisioningLogs
  | where TimeGenerated > ago(30d)
  | where ResultType =~ "Success"
  | where tostring(TargetIdentity) has "IsAssignableToRole"
       or tostring(ModifiedProperties) has "isAssignableToRole"
       or tostring(ModifiedProperties) has "directoryRoles"
  | extend Target       = tostring(parse_json(TargetIdentity).displayName),
           SPName       = tostring(parse_json(ServicePrincipal).Name),
           InitiatorUpn = tostring(parse_json(InitiatedBy).userPrincipalName),
           InitiatorApp = tostring(parse_json(InitiatedBy).displayName)
  | project TimeGenerated, JobId, CycleId, ChangeId, SPName,
            Initiator = coalesce(InitiatorUpn, InitiatorApp),
            TargetGroup = Target,
            OperationName, ProvisioningAction, ModifiedProperties
  | order by TimeGenerated desc

Explanation

This query is designed to monitor and identify unusual provisioning activities related to role-assignable groups in Azure Active Directory. Here's a simplified breakdown:

  • Purpose: The query focuses on detecting provisioning operations that involve role-assignable groups, which are groups that can be assigned directory roles. Changes to these groups can effectively grant directory roles, making such operations potentially suspicious and worthy of manual review.

  • Severity: The query is marked with a high severity level, indicating the importance of these operations and the potential risk they pose.

  • Data Source: It uses data from Azure Active Directory, specifically the AADProvisioningLogs.

  • Time Frame: The query looks at logs from the past 30 days.

  • Conditions: It filters for successful provisioning operations that involve role-assignable groups by checking if certain properties (IsAssignableToRole, directoryRoles) are present in the logs.

  • Output: The query extracts and displays relevant details such as the time of the operation, job and cycle identifiers, the name of the service principal involved, the initiator's user principal name or application name, the target group affected, and the type of operation performed.

  • Order: The results are sorted by the time the operation was generated, in descending order, to show the most recent activities first.

Overall, this query helps in identifying and reviewing potentially risky changes to role-assignable groups, which could indicate privilege escalation or persistence tactics.

Details

David Alonso profile picture

David Alonso

Released: June 1, 2026

Tables

AADProvisioningLogs

Keywords

ProvisioningOperationsRoleAssignableGroupsDirectoryRolesAzureActiveDirectoryPrivilegeEscalationPersistence

Operators

whereago=~tostringhasorextendparse_jsonprojectcoalesceorder bydesc

Actions