Office Activity Detect New Exchange Admin Role
Query
//Detect when a new Exchange admin role is created and parse the permissions
//Data connector required for this query - Office 365
OfficeActivity
| where Operation == "New-RoleGroup"
| where RecordType == "ExchangeAdmin"
| parse Parameters with * 'Name","Value":"' ['Role Name'] '"' *
| parse Parameters with * 'Roles","Value":"' ['Permissions Added'] '"' *
| project TimeGenerated, Actor=UserId, ['Role Name'], ['Permissions Added']Explanation
This query is used to detect when a new Exchange admin role is created and extract the permissions associated with it. It requires a data connector for Office 365. It filters the OfficeActivity table for entries where the operation is "New-RoleGroup" and the record type is "ExchangeAdmin". It then parses the parameters to extract the role name and the permissions added. The final result includes the time generated, the actor (user ID), the role name, and the permissions added.
Details

Matt Zorich
Released: June 17, 2022
Tables
OfficeActivity
Keywords
ExchangeAdminPermissionsOffice365
Operators
| where==|parsewith*[]''"'project