Forum Discussion
ColonelHawx1008
Jul 14, 2022Copper Contributor
Extract AzureAD "Groups" Audit Logs from Azure Sentinel
Hi All, As the title would say. I am looking at a simple KQL that would allow us to retrieve Azure AD Groups Audit logs from Sentinel as we all know that Azure AD only retains this data for 30 days....
markscottuk
Jul 14, 2022Copper Contributor
I did something similar earlier, how about: AuditLogs |where OperationName contains "group" This should give you a good start then you can add more to the query to reduce the noise.
- ColonelHawx1008Jul 14, 2022Copper ContributorTest this, which sortof works... Will try the above...
//Summarize all groups that have had users added to them via dynamic rules
//Data connector required for this query - Azure Active Directory - Audit Logs
AuditLogs
| where TimeGenerated > ago(90d)
| where OperationName == "Add member to group"
//| where Identity == "Microsoft Approval Management"
| where TargetResources[0].type == "User"
| extend GroupName = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))
| extend User = tostring(TargetResources[0].userPrincipalName)
| summarize ['Count of Users Added']=dcount(User), ['List of Users Added']=make_set(User) by GroupName
| sort by GroupName asc