Forum Discussion
Sentinel Assitance - KQL Query
Hey! Looking for assistance with creating a KQL query that can look at members of approx. 15 dynamic security groups and identify if they have any SharePoint site permissions across a tenant. My ass...
Do you need to know which permission or the fact they have some?
This will look at usage of SharePoint (with any permission) and enables you to add your 15 groups.
You firstly need to edit line #1 for your groups.
let myGroups = dynamic(["group 1","Group2","Add the next 13 groups here"]);
SigninLogs
// did they logon successfully and also have Sharepoint acticity
| where ResultType == "0"
| summarize SharePointactivity=countif(AppDisplayName has 'SharePoint') by UserPrincipalName, AppDisplayName
| join
(
IdentityInfo
// check these groups for membership
| where GroupMembership has_any(myGroups)
| summarize listGroups=make_set(array_sort_asc(GroupMembership)) by UserPrincipalName=AccountUPN
) on UserPrincipalName
// only show when we have seen sharepoint usage
| where SharePointactivity > 0
| project-away UserPrincipalName1
Ideally, I would just like to know if they have any permission to a particular SPO site. Because of an incorrect rule syntax, they may have been granted access to a SPO site they should not. So, this would be to audit that activity to identify if ANY from those dynamic groups have ANY access to those SPO sites (tenant wide). Big net I know 😞