Query Details
Identify Log Analytics Contributor And Data Purger Role Assignment
Query
# Identify Log Analytics Contributor and Data Purger role assignment
# Description
The following query, will allow you to identify if the roles Log Analytics Contributor and Data Purger have been enabled in your log analytics workspace resource group. This would be quite alarming, as it would mean that the users with the specific Azure Role, would be able to purge data in your Sentinel’s log analytics workspace.
### Microsoft Sentinel
```
let AzRoleID = dynamic(["92aaf0da-9dab-42b6-94a3-d43ce8d16293", "150f5e0c-0603-4f03-8c7f-cf70034c4e90"]); // Log Analytics Contributor & Data Purger Azure Role IDs
let LAWResourceGroup = "<your log analytics workspace resource group here>"; // Define Resource Group containing Sentinel's LAW
AzureActivity
| where ResourceGroup == LAWResourceGroup
| extend EventSubmissionTimeStamp = tostring(parse_json(Properties).eventSubmissionTimestamp)
| extend EventCaller = tostring(parse_json(Properties).caller)
| extend EventCallerIPAddress = tostring(parse_json(tostring(parse_json(Properties).httpRequest)).clientIpAddress)
| extend EventMessage = tostring(parse_json(Properties).message)
| extend EventRoleDefinitionId = tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).Properties)).RoleDefinitionId)
| where EventRoleDefinitionId has_any (AzRoleID)
| extend RoleName = case(
EventRoleDefinitionId endswith "92aaf0da-9dab-42b6-94a3-d43ce8d16293", "Log Analytics Contributor",
EventRoleDefinitionId endswith "150f5e0c-0603-4f03-8c7f-cf70034c4e90", "Data Purger",
"Other")
| project EventSubmissionTimeStamp, EventCaller, EventCallerIPAddress, EventMessage, EventRoleDefinitionId, RoleName
```
### Versioning
| Version | Date | Comments |
| ------------- |---------------| ---------------------------------------|
| 1.0 | 30/06/2025 | Initial publish |
Explanation
This query is designed to check if two specific roles, "Log Analytics Contributor" and "Data Purger," have been assigned within a particular Azure Log Analytics workspace resource group. These roles are significant because they allow users to delete data from Microsoft's Sentinel log analytics workspace, which could be concerning from a security perspective.
Here's a simplified breakdown of what the query does:
-
Role Identification: It identifies the unique IDs for the "Log Analytics Contributor" and "Data Purger" roles.
-
Resource Group Specification: You need to specify the resource group that contains your Sentinel's Log Analytics Workspace.
-
Activity Filtering: The query searches through Azure Activity logs for events related to the specified resource group.
-
Data Extraction: It extracts various details from these logs, such as the time of the event, who initiated it, their IP address, and the message associated with the event.
-
Role Check: It checks if the role IDs from the logs match those of the "Log Analytics Contributor" or "Data Purger."
-
Result Presentation: The query outputs a list of events with details about when they occurred, who initiated them, their IP address, the event message, and the role name associated with the event.
This query helps in monitoring and ensuring that these powerful roles are not assigned without oversight, thereby maintaining the security and integrity of your log data.
Details
Michalis Michalos
Released: June 30, 2025
Tables
Keywords
Operators