Query Details
Identity Alerts From Privileged Users
Query
//Query to find security alerts for users who have privileged Azure AD roles
//Data connector required for this query - Microsoft Sentinel UEBA
//Data connector required for this query - Security Alert (free table that other Defender products send alert info to)
let PrivRoles = dynamic(["Global Administrator", "Security Administrator", "Teams Administrator"]);
let identityinfo=
IdentityInfo
| summarize arg_max(TimeGenerated, *) by AccountUPN
| where AssignedRoles has_any (PrivRoles)
| extend TargetUserName = AccountName
| extend UserPrincipalName = AccountUPN
| project TargetUserName, UserPrincipalName, AssignedRoles;
SecurityAlert
| where TimeGenerated >= ago(5d)
| extend AlertTime = TimeGenerated
| extend UserPrincipalName = CompromisedEntity
| join kind=inner identityinfo on UserPrincipalName
| project AlertTime, TargetUserName, UserPrincipalName, AlertName, AssignedRolesExplanation
This query is used to find security alerts for users who have privileged Azure AD roles. It requires two data connectors: Microsoft Sentinel UEBA and Security Alert.
The query first defines a dynamic variable called PrivRoles, which includes the privileged Azure AD roles.
Then, it retrieves identity information from the IdentityInfo table, filtering for users who have any of the privileged roles. It also renames some columns for clarity.
Next, it retrieves security alerts from the SecurityAlert table, filtering for alerts generated within the last 5 days. It also renames some columns for clarity.
Finally, it joins the identity information with the security alerts based on the UserPrincipalName, and projects the desired columns in the final result.
Details
Matt Zorich
Released: June 17, 2022
Tables
Keywords
Operators