Query Details
Identity Managed Identity Accessing New Resources
Query
//Detect when an Azure AD managed identity accesses a resource for the first time, i.e an identity that previously only accessed storage accesses a key vault
//Data connector required for this query - Azure Active Directory - Managed Identity Signin Logs
AADManagedIdentitySignInLogs
| where TimeGenerated > ago (60d) and TimeGenerated < ago(1d)
| where ResultType == "0"
| distinct ServicePrincipalId, ResourceIdentity
| join kind=rightanti (
AADManagedIdentitySignInLogs
| where TimeGenerated > ago (1d)
| where ResultType == "0"
)
on ServicePrincipalId, ResourceIdentity
| project
['Service Principal DisplayName']=ServicePrincipalName,
['Service Principal Id']=ServicePrincipalId,
['Azure Resource Identity Id']=ResourceIdentity,
['Azure Resource DisplayName']=ResourceDisplayName
| distinct
['Service Principal DisplayName'],
['Service Principal Id'],
['Azure Resource DisplayName'],
['Azure Resource Identity Id']Explanation
This query is used to detect when an Azure AD managed identity accesses a resource for the first time. It looks for instances where an identity that previously only accessed storage now accesses a key vault. The query uses the Azure Active Directory - Managed Identity Signin Logs data connector.
The query filters the logs to a specific time range (between 60 days ago and 1 day ago) and selects only successful sign-ins (ResultType == "0"). It then identifies distinct combinations of ServicePrincipalId and ResourceIdentity.
The query performs a right anti-join with a subset of logs from the past day to exclude any identities that have accessed the resource before. The final result is projected to show the display name and ID of the service principal, as well as the display name and ID of the Azure resource. The distinct operator is used to remove any duplicate rows in the result.
Details
Matt Zorich
Released: June 17, 2022
Tables
Keywords
Operators