Query Details
Identity First Time Role Addition
Query
//Detect when a user adds someone to an Azure AD privileged role for the first time
//Data connector required for this query - Azure Active Directory - Audit Logs
//First build a set of known users who have completed this action previously
let knownusers=
AuditLogs
| where TimeGenerated > ago(90d) and TimeGenerated < ago(1d)
| where OperationName == "Add member to role"
//Exclude role additions made by the Azure AD PIM service
| where Identity != "MS-PIM"
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| distinct Actor;
//Find events in the last day by users not in the known list
AuditLogs
| where TimeGenerated > ago(1d)
| where OperationName == "Add member to role"
| where Identity != "MS-PIM"
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend ['Azure AD Role Name'] = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))
| extend Target = tostring(TargetResources[0].userPrincipalName)
| where Actor !in (knownusers)
| project TimeGenerated, Actor, Target, ['Azure AD Role Name']
Explanation
This query detects when a user adds someone to an Azure AD privileged role for the first time. It first builds a set of known users who have previously completed this action within the last 90 days. Then, it finds events in the last day by users who are not in the known list. The query includes information such as the time the action was generated, the user who initiated the action, the target user being added to the role, and the name of the Azure AD role being assigned.
Details
Matt Zorich
Released: June 17, 2022
Tables
AuditLogs
Keywords
AzureAD,AuditLogs,Addmembertorole,MS-PIM,InitiatedBy.user,TimeGenerated,Actor,Target,AzureADRoleName,TargetResources
Operators
whereagoanddistinctextendparse_jsontostringprojectin