KQL Search

Query Details

HomeAI ToolsDevice Query

High Privileged Role Assigned

Query

id: fa2dbd7d-0db5-4b9e-91f8-8547e6059050
name: High Privileged Role assigned
version: 1.0.0
kind: Scheduled
description: A user was assigned a high privileged role
severity: Low
queryFrequency: 30m
queryPeriod: 30m
triggerOperator: gt
triggerThreshold: 0
tactics:
  - PrivilegeEscalation
query: |+
  let HighPrivRoles = dynamic(["Global Administrator","Company Administrator","Privileged Authentication Administrator","Privileged Role Administrator"]);
  AuditLogs
  | where OperationName == "Add member to role"
  | mv-expand TargetResources
  | mv-expand TargetResources.modifiedProperties
  | where TargetResources_modifiedProperties.displayName == "Role.DisplayName"
  | extend AddedToRole = replace_string(tostring(TargetResources_modifiedProperties.newValue),'"','')
  | where AddedToRole in~ (HighPrivRoles)
  | extend Actor = iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName,InitiatedBy.app.servicePrincipalId)
  | extend TargetUsername = TargetResources.userPrincipalName
suppressionEnabled: false
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    reopenClosedIncident: false
    lookbackDuration: 5h
    matchingMethod: AllEntities
    groupByEntities: []
    groupByAlertDetails: []
    groupByCustomDetails: []
eventGroupingSettings:
  aggregationKind: AlertPerResult
customDetails:
  AddedToRole: AddedToRole
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: Actor
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: TargetUsername
suppressionDuration: 5h

Explanation

This query is designed to identify when a user is assigned a high privileged role. It looks for audit logs where the operation is "Add member to role" and checks if the role being added is one of the high privileged roles specified in the query. It also retrieves information about the actor who initiated the assignment and the target user who was assigned the role. If a match is found, an incident is created. The query runs every 30 minutes and has a low severity level.

Details

Fabian Bader profile picture

Fabian Bader

Released: July 25, 2023

Tables

AuditLogs

Keywords

Devices,Intune,User,PrivilegeEscalation

Operators

|==mv-expandwhereextendreplace_stringin~iffisnotempty

Actions