Jan 18 2020
11:56 AM
- last edited on
Apr 08 2022
10:15 AM
by
TechCommunityAP
Jan 18 2020
11:56 AM
- last edited on
Apr 08 2022
10:15 AM
by
TechCommunityAP
hello,
I'm creating a query to display AD accounts activity. Such as account creation.
I would like to see who has reacted an account (With caller command) I would like to see Users role as well (such as global admin, security admin, etc).
How Can I achieve that?
Regards,
Jan 20 2020 05:50 AM
Some AzureAD samples to get you started...
1. Look at Audit logs
AuditLogs
| extend userPrincipalName_ = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend userPrincipalName2_ = tostring(TargetResources[0].userPrincipalName)
| extend userPrincipalName = iif(isempty(userPrincipalName_), userPrincipalName2_, userPrincipalName_)
| where OperationName !contains "service principal"
| summarize count(), make_set(InitiatedBy) by ActivityDisplayName, userPrincipalName
2. SigninLogs
SigninLogs
| extend ErrorCode = tostring(Status.errorCode)
| extend FailureReason = Status.failureReason
| where ErrorCode in ("50058","50140", "51006", "50059", "65001", "52004", "50055", "50144","50072", "50074", "16000","16001", "16003", "50127", "50125", "50129","50143", "81010", "81014", "81012")
| summarize errCount = count() by ErrorCode, tostring(FailureReason), UserDisplayName, UserPrincipalName
Jan 20 2020 09:04 PM
Thanks for the information provided!
Will let you know what was the outcome.
Thanks one more time.
Arnold
Jan 22 2020 07:43 PM
Hello,
I have managed to gather some code but sadly it's not providing info needed in the alert itself.
Code itself is straight forward:
Jan 23 2020 10:55 AM
You can create a merges column (called here AggregatedValue), I used strcat to create a comma separated list of the 4 items
AuditLogs
| where OperationName == "Add user"
| extend userPrincipalName_ = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend userPrincipalName2_ = tostring(TargetResources[0].userPrincipalName)
| extend AccountCustomEntity = userPrincipalName_
| extend AccountCustomEntity2 = userPrincipalName2_
| extend AggregatedValue = strcat (userPrincipalName_,", ", userPrincipalName2_,", ", AccountCustomEntity,", ", AccountCustomEntity2)
| summarize count() by AggregatedValue
d
Jan 23 2020 08:48 PM
Hey, your help is much appreciated!
I managed to display the information needed by adding one account as AccountCustomEntity and other by HostCustomEntity:
Jan 24 2020 05:44 AM
Something like this?
AuditLogs
| where ActivityDisplayName == "Add user"
| extend userPerformingAction = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend userAmended = tostring(TargetResources[0].userPrincipalName)
| summarize by userPerformingAction, userAmended, ActivityDisplayName, Result
Feb 01 2020 09:43 AM - edited Feb 01 2020 09:43 AM
thanks for your help!