Query Details
RBAC Changes
Query
# Audit RBAC Changes Defender XDR ## Query Information ### Description The query below can be used to monitor RBAC changes in Defender XDR. This query list additions, deletions and changes, if you only want to monitor specific actions you can enhance the query by filtering on the actiontype. ### References - https://learn.microsoft.com/en-us/defender-xdr/m365d-permissions - https://learn.microsoft.com/en-us/defender-endpoint/rbac ## Defender For Endpoint ``` CloudAppEvents | extend Workload = tostring(parse_json(RawEventData).Workload) | where Workload contains "Defender" | where ActionType endswith "Role" | extend RoleName = tostring(parse_json(RawEventData).RoleName), RolePermissions = tostring(parse_json(RawEventData).RolePermissions), AssignedGroups = tostring(parse_json(RawEventData).AssignedGroups) | project-reorder Timestamp, ActionType, AccountObjectId, RoleName, RolePermissions, AssignedGroups ``` ## Sentinel ``` CloudAppEvents | extend Workload = tostring(parse_json(RawEventData).Workload) | where Workload contains "Defender" | where ActionType endswith "Role" | extend RoleName = tostring(parse_json(RawEventData).RoleName), RolePermissions = tostring(parse_json(RawEventData).RolePermissions), AssignedGroups = tostring(parse_json(RawEventData).AssignedGroups) | project-reorder TimeGenerated, ActionType, AccountObjectId, RoleName, RolePermissions, AssignedGroups ```
Explanation
This query helps monitor RBAC (Role-Based Access Control) changes in Defender XDR. It lists additions, deletions, and changes in roles. You can filter specific actions by modifying the query. It provides information on the timestamp, action type, account object ID, role name, role permissions, and assigned groups.
Details
Bert-Jan Pals
Released: June 19, 2024
Tables
CloudAppEvents
Keywords
RBAC,Defender,XDR,CloudAppEvents,Workload,ActionType,RoleName,RolePermissions,AssignedGroups,Timestamp,AccountObjectId,TimeGenerated.
Operators
extendwherecontainsendswithproject-reorder