Query Details

Grant High Privilege Azure AD Role To Identity

Query

let HighPrivRoles = dynamic(["Company Administrator","Privileged Authentication Administrator","Privileged Role Administrator"]);
AuditLogs
| where OperationName == "Add member to role"
| mv-expand TargetResources
| mv-expand TargetResources.modifiedProperties
| where TargetResources_modifiedProperties.displayName == "Role.DisplayName"
| extend TargetObjectId = TargetResources.id
| extend TargetObjectDisplayName = TargetResources.displayName
| extend InitiatedByUserPrincipalName = InitiatedBy.user.userPrincipalName
| extend AddedToRole = replace_string(tostring(TargetResources_modifiedProperties.newValue),'"','')
| where AddedToRole in~ (HighPrivRoles)
| extend IPCustomEntity = todynamic(InitiatedBy).user.ipAddress
| extend ServicePrincipalAppId = todynamic(TargetResources).modifiedProperties[5].displayName
| project timestamp = TimeGenerated, IPCustomEntity, AccountCustomEntity=InitiatedByUserPrincipalName,TargetObjectId,TargetObjectDisplayName, AddedToRole

Explanation

This query is designed to identify when a user or other identity is added to a high privilege Azure AD role. It looks for the operation of adding a member to a role in the audit logs and filters for specific high privilege roles. It extracts relevant information such as the timestamp, IP address, user account, target object ID, target object display name, and the role that was added. The query is scheduled to run once a day and has a medium severity level. It is relevant to the persistence tactic and the T1098 technique.

Details

Fabian Bader profile picture

Fabian Bader

Released: March 25, 2022

Tables

AuditLogs

Keywords

Azure ADIdentityRoleAuditLogs

Operators

|:=dynamicletwheremv-expandextendreplace_stringin~todynamicproject

Severity

Medium

Tactics

Persistence

MITRE Techniques

Frequency: 1d

Period: 1d

Actions

GitHub