Saturday, May 17, 2025

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Kusto Query LanguageMicrosoft SentinelSECURE

List All Role Additions

Wayne Andes 3 min read

Description

This KQL query list all role additions that have been performed in your tenant. See the Microsoft Link for the default roles that exists in Azure Active Directory. They contain reader, operator, administrator and other roles. It is good practice to gain insight into the roles that have been assigned to accounts. Based on this query you can build a detection for specific roles with high privileges such as Global Admin, Security Admin or Exchange Admin.

Query

Microsoft Sentinel
Kusto
AuditLogs
| where OperationName == 'Add member to role'
// If you do want to show PIM activations remove this filter
| where Identity != 'MS-PIM'
| extend RoleLine = tostring(extract(@'Role.DisplayName(.*?)"}', 1, tostring(TargetResources)))
| extend Role = tostring(extract(@'newValue":"\\"(.*?)\\', 1, RoleLine)), userPrincipalName = parse_json(TargetResources).[0].userPrincipalName
| project TimeGenerated, Role, OperationName, userPrincipalName, Identity

References

You May Also Like

Detect Anomalous Group Policy Discovery

Wayne Andes

List Active Directory Group Additions

Wayne Andes

List Malicious Network Traffic Detected From LAN To WAN By Fortinet

Wayne Andes

Leave a Reply

Your email address will not be published. Required fields are marked *