Query Details

Summary Of Privileged Operations By Directory Role Member

Query

// Query based on Microsoft TechCommunity blog post "Easily Manage Privileged Role Assignments in Microsoft Entra ID Using Audit Logs"
// Source: https://techcommunity.microsoft.com/t5/microsoft-entra-blog/easily-manage-privileged-role-assignments-in-microsoft-entra-id/ba-p/4013854
// List of operations (sorted by count) performed by privileged users (and all directory roles) in the last 14 days and showing related Enterprise Access Model Tiering Level and built-in classification by Microsoft (isPrivileged)
// Known limitation: Does not cover workload identities

let Lookback = 14d;
let PrivilegedRoles = externaldata(RoleName: string, RoleId: string, isPrivileged: bool, Classification: dynamic)["https://raw.githubusercontent.com/Cloud-Architekt/AzurePrivilegedIAM/main/Classification/Classification_EntraIdDirectoryRoles.json"] with(format='multijson')
| where Classification.EAMTierLevelName != "Unclassified"
| extend EAMTierLevelName = Classification.EAMTierLevelName
| project RoleName, isPrivileged, EAMTierLevelName;
AuditLogs 
| where TimeGenerated > ago(Lookback) 
| extend ActorName = iif( 
                         isnotempty(tostring(InitiatedBy["user"])),  
                         tostring(InitiatedBy["user"]["userPrincipalName"]), 
                         tostring(InitiatedBy["app"]["displayName"]) 
                     ) 
| extend ActorID = iif( 
                       isnotempty(tostring(InitiatedBy["user"])),  
                       tostring(InitiatedBy["user"]["id"]), 
                       tostring(InitiatedBy["app"]["appId"]) 
                   ) 
| where isnotempty(ActorName) 
| join kind=inner (IdentityInfo 
    | where TimeGenerated > ago(Lookback) 
    | mv-expand AssignedRoles
    | extend RoleName = tostring(AssignedRoles)
    | join kind=inner ( PrivilegedRoles) on RoleName
    | summarize EAMTierLevelName = make_set(EAMTierLevelName), isPrivileged = make_set(isPrivileged), AssignedRoles = make_set(AssignedRoles) by AccountObjectId
    | extend isPrivileged = iff((isPrivileged contains "true"), true, false)
    ) on $left.ActorID == $right.AccountObjectId 
| where AssignedRoles has_any (PrivilegedRoles) 
| summarize Operations = make_set(OperationName) by ActorName, ActorID, tostring(AssignedRoles), tostring(isPrivileged), tostring(EAMTierLevelName)
| extend OperationsCount = array_length(Operations) 
| project ActorName, ActorID, EAMTierLevelName, isPrivileged, AssignedRoles, Operations, OperationsCount
| sort by OperationsCount desc

Explanation

This query is designed to analyze and summarize the activities of privileged users within Microsoft Entra ID over the past 14 days. Here's a simplified breakdown of what the query does:

  1. Define Lookback Period: It sets a time frame of the last 14 days to analyze the data.

  2. Load Privileged Roles Data: It imports a list of roles from an external JSON source, filtering out any roles that are unclassified. Each role is associated with a tier level and a classification indicating whether it is privileged.

  3. Filter Audit Logs: It retrieves audit log entries from the past 14 days, focusing on actions initiated by users or applications. It extracts the name and ID of the actor (user or app) responsible for each action.

  4. Join with Identity Information: It combines the audit log data with identity information to identify which roles are assigned to each actor. This step ensures that only actions performed by users with privileged roles are considered.

  5. Summarize Operations: For each actor, it compiles a list of operations they performed, along with their assigned roles, whether they are privileged, and their tier level.

  6. Count and Sort Operations: It counts the number of unique operations each actor performed and sorts the results in descending order based on this count.

  7. Output: The final output includes the actor's name and ID, their roles, whether they are privileged, their tier level, the operations they performed, and the count of these operations.

The query helps administrators understand the activities of privileged users, focusing on the types and frequency of operations they perform, which can be crucial for security and compliance monitoring. Note that the query does not cover actions by workload identities.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: March 25, 2024

Tables

AuditLogsIdentityInfo

Keywords

AuditLogsPrivilegedRolesIdentityInfoActorNameIDOperationsCount

Operators

letexternaldatawithwhereextendprojectagoiifisnotemptytostringjoinkindmv-expandsummarizemake_setiffonhas_anyarray_lengthsort by

Actions

GitHub