Query Details

High Privileged Role Assigned

Query

let HighPrivRoles = dynamic(["Global Administrator","Company Administrator","Privileged Authentication Administrator","Privileged Role Administrator"]);
AuditLogs
| where OperationName == "Add member to role"
| mv-expand TargetResources
| mv-expand TargetResources.modifiedProperties
| where TargetResources_modifiedProperties.displayName == "Role.DisplayName"
| extend AddedToRole = replace_string(tostring(TargetResources_modifiedProperties.newValue),'"','')
| where AddedToRole in~ (HighPrivRoles)
| extend Actor = iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName,InitiatedBy.app.servicePrincipalId)
| extend TargetUsername = TargetResources.userPrincipalName

Explanation

This query is designed to identify when a user is assigned a high privileged role. It looks for audit logs where the operation is "Add member to role" and checks if the role being added is one of the high privileged roles specified in the query. It also retrieves information about the actor who initiated the assignment and the target user who was assigned the role. If a match is found, an incident is created. The query runs every 30 minutes and has a low severity level.

Details

Fabian Bader profile picture

Fabian Bader

Released: July 25, 2023

Tables

AuditLogs

Keywords

DevicesIntuneUserPrivilegeEscalation

Operators

|==mv-expandwhereextendreplace_stringin~iffisnotempty

Severity

Low

Tactics

PrivilegeEscalation

Frequency: 30m

Period: 30m

Actions

GitHub