Query Details

Audit RBAC Changes Defender XDR

RBAC Changes

Query

CloudAppEvents
| extend Workload = tostring(parse_json(RawEventData).Workload)
| where Workload contains "Defender"
| where ActionType endswith "Role"
| extend RoleName = tostring(parse_json(RawEventData).RoleName), RolePermissions = tostring(parse_json(RawEventData).RolePermissions), AssignedGroups = tostring(parse_json(RawEventData).AssignedGroups)
| project-reorder Timestamp, ActionType, AccountObjectId, RoleName, RolePermissions, AssignedGroups

About this query

Audit RBAC Changes Defender XDR

Query Information

Description

The query below can be used to monitor RBAC changes in Defender XDR. This query list additions, deletions and changes, if you only want to monitor specific actions you can enhance the query by filtering on the actiontype.

References

Defender XDR

Sentinel

CloudAppEvents
| extend Workload = tostring(parse_json(RawEventData).Workload)
| where Workload contains "Defender"
| where ActionType endswith "Role"
| extend RoleName = tostring(parse_json(RawEventData).RoleName), RolePermissions = tostring(parse_json(RawEventData).RolePermissions), AssignedGroups = tostring(parse_json(RawEventData).AssignedGroups)
| project-reorder TimeGenerated, ActionType, AccountObjectId, RoleName, RolePermissions, AssignedGroups

Explanation

This query is designed to monitor changes in Role-Based Access Control (RBAC) within Microsoft Defender XDR. It tracks when roles are added, deleted, or modified. Here's a simple breakdown of what the query does:

  1. Data Source: It uses the CloudAppEvents table, which contains logs of various cloud application events.

  2. Filter for Defender: It filters the events to only include those related to Microsoft Defender by checking if the Workload field contains "Defender".

  3. Filter for Role Changes: It further narrows down the events to those where the ActionType ends with "Role", indicating that the event is related to role changes.

  4. Extract Role Details: The query extracts specific details from the event data, such as:

    • RoleName: The name of the role involved in the change.
    • RolePermissions: The permissions associated with the role.
    • AssignedGroups: The groups assigned to the role.
  5. Organize Output: It organizes the output to display the timestamp of the event, the type of action performed, the account ID involved, and the extracted role details.

The query is structured to work with both Defender XDR and Sentinel, with a slight difference in the timestamp field used (Timestamp for Defender XDR and TimeGenerated for Sentinel). This allows users to monitor RBAC changes effectively in either platform.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

CloudAppEvents

Keywords

AuditRBACChangesDefenderXDR

Operators

extendtostringparse_jsonwherecontainsendswithproject-reorder

Actions

GitHub