High Privileged Role Assigned
Query
let HighPrivRoles = dynamic(["Global Administrator","Company Administrator","Privileged Authentication Administrator","Privileged Role Administrator"]);
AuditLogs
| where OperationName == "Add member to role"
| mv-expand TargetResources
| mv-expand TargetResources.modifiedProperties
| where TargetResources_modifiedProperties.displayName == "Role.DisplayName"
| extend AddedToRole = replace_string(tostring(TargetResources_modifiedProperties.newValue),'"','')
| where AddedToRole in~ (HighPrivRoles)
| extend Actor = iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName,InitiatedBy.app.servicePrincipalId)
| extend TargetUsername = TargetResources.userPrincipalNameExplanation
This query is designed to identify when a user is assigned a high privileged role. It looks for audit logs where the operation is "Add member to role" and checks if the role being added is one of the high privileged roles specified in the query. It also retrieves information about the actor who initiated the assignment and the target user who was assigned the role. If a match is found, an incident is created. The query runs every 30 minutes and has a low severity level.
Details

Fabian Bader
Released: July 25, 2023
Tables
AuditLogs
Keywords
DevicesIntuneUserPrivilegeEscalation
Operators
|==mv-expandwhereextendreplace_stringin~iffisnotempty
Severity
LowTactics
PrivilegeEscalation
Frequency: 30m
Period: 30m