Audit RBAC Changes Defender XDR
RBAC Changes
Query
CloudAppEvents
| extend Workload = tostring(parse_json(RawEventData).Workload)
| where Workload contains "Defender"
| where ActionType endswith "Role"
| extend RoleName = tostring(parse_json(RawEventData).RoleName), RolePermissions = tostring(parse_json(RawEventData).RolePermissions), AssignedGroups = tostring(parse_json(RawEventData).AssignedGroups)
| project-reorder Timestamp, ActionType, AccountObjectId, RoleName, RolePermissions, AssignedGroupsAbout this query
Audit RBAC Changes Defender XDR
Query Information
Description
The query below can be used to monitor RBAC changes in Defender XDR. This query list additions, deletions and changes, if you only want to monitor specific actions you can enhance the query by filtering on the actiontype.
References
- https://learn.microsoft.com/en-us/defender-xdr/m365d-permissions
- https://learn.microsoft.com/en-us/defender-endpoint/rbac
- https://kqlquery.com/posts/audit-defender-xdr/
Defender XDR
Sentinel
CloudAppEvents
| extend Workload = tostring(parse_json(RawEventData).Workload)
| where Workload contains "Defender"
| where ActionType endswith "Role"
| extend RoleName = tostring(parse_json(RawEventData).RoleName), RolePermissions = tostring(parse_json(RawEventData).RolePermissions), AssignedGroups = tostring(parse_json(RawEventData).AssignedGroups)
| project-reorder TimeGenerated, ActionType, AccountObjectId, RoleName, RolePermissions, AssignedGroups
Explanation
This query is designed to monitor changes in Role-Based Access Control (RBAC) within Microsoft Defender XDR. It tracks when roles are added, deleted, or modified. Here's a simple breakdown of what the query does:
-
Data Source: It uses the
CloudAppEventstable, which contains logs of various cloud application events. -
Filter for Defender: It filters the events to only include those related to Microsoft Defender by checking if the
Workloadfield contains "Defender". -
Filter for Role Changes: It further narrows down the events to those where the
ActionTypeends with "Role", indicating that the event is related to role changes. -
Extract Role Details: The query extracts specific details from the event data, such as:
RoleName: The name of the role involved in the change.RolePermissions: The permissions associated with the role.AssignedGroups: The groups assigned to the role.
-
Organize Output: It organizes the output to display the timestamp of the event, the type of action performed, the account ID involved, and the extracted role details.
The query is structured to work with both Defender XDR and Sentinel, with a slight difference in the timestamp field used (Timestamp for Defender XDR and TimeGenerated for Sentinel). This allows users to monitor RBAC changes effectively in either platform.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators