Auditing Power-Users and Administrative Tasks with non-repudiation - Does it exist?

%3CLINGO-SUB%20id%3D%22lingo-sub-1473997%22%20slang%3D%22en-US%22%3EAuditing%20Power-Users%20and%20Administrative%20Tasks%20with%20non-repudiation%20-%20Does%20it%20exist%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1473997%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20trying%20to%20to%20track%20down%20what%20one%20would%20seem%20to%20be%20a%20seemingly%20basic%20task%20-%20When%20and%20Who%20created%20a%20particular%20user%20in%20AAD%3F%20I%20believe%20I%20have%20been%20able%20to%20answer%20part%20of%20the%20question%2C%20the%20when.%20I%20see%20a%20timestamp%20in%20the%20AuditLogs%20specific%20to%20the%20'Add%20User'%20OperationName%20-%20Excellent!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20other%20part%20however%20leaves%20me%20wondering%20if%20the%20data%20exists%20or%20if%20its%20hidden%20somewhere%20in%20Azure%20and%20does%20not%20qualify%20to%20make%20into%20the%20standard%20AuditLogs.%20Who%20clicked%20the%20buttons%20to%20enable%20the%20user%20account%3F%20What%20I%20see%20is%20the%20following%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CTABLE%3E%3CTBODY%3E%3CTR%3E%3CTD%3E%3CDIV%20class%3D%22grid_details_key%20transition-hover%22%3EInitiatedBy%3C%2FDIV%3E%3C%2FTD%3E%3CTD%3E%3CDIV%20class%3D%22grid_details_value_with_sub_grid%22%3E%7B%22app%22%3A%7B%22displayName%22%3A%22Microsoft%20Substrate%20Management%22%2C%22servicePrincipalName%22%3Anull%2C%22servicePrincipalId%22%3A%22ad%234b51d9-dqw5-87d9-827c-t9c07s4284%2331%22%2C%22appId%22%3Anull%7D%20%7D%3C%2FDIV%3E%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20randomized%20the%20servicePrincipalId%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20safe%20to%20say%20this%20was%20likely%20a%20service%2Fprocess%20or%20script%20that%20kicked%20off%20to%20create%20the%20user%20account%20in%20AAD.%20The%20question%20is%2C%20who%20set%20the%20script%20in%20motion%3F%20Does%20anyone%20have%20any%20experience%20with%20this%20and%20is%20there%20a%20way%20to%20prove%26nbsp%3Bnon-repudiation%20for%20this%20type%20of%20event%3F%20Many%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1474524%22%20slang%3D%22en-US%22%3ERe%3A%20Auditing%20Power-Users%20and%20Administrative%20Tasks%20with%20non-repudiation%20-%20Does%20it%20exist%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1474524%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F697668%22%20target%3D%22_blank%22%3E%40TheriumSec%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI'm%20not%20sure%20If%20I%20solved%20this%2C%20but%20I%20did%20save%20this%20query%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3E%20AuditLogs%0A%7C%20where%20OperationName%20%20%20%3D%3D%20%22Add%20user%22%0A%7C%20extend%20displayName_%20%20%20%3D%20tostring(parse_json(tostring(InitiatedBy.user)).displayName)%0A%7C%20extend%20id_%20%20%20%20%20%20%20%20%20%20%20%20%3D%20tostring(parse_json(tostring(InitiatedBy.user)).id)%0A%7C%20extend%20ipAddress_%20%20%20%20%20%3D%20tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)%0A%7C%20extend%20roles_%20%20%20%20%20%20%20%20%20%3D%20tostring(parse_json(tostring(parse_json(tostring(InitiatedBy.user)).roles)))%0A%7C%20extend%20userPrincipalName_%20%3D%20tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)%0A%7C%20join%0A%20%20%20%20(%0A%20%20%20%20%20%20%20%20SigninLogs%0A%20%20%20%20%20%20%20%20%7C%20project%20UserId%2C%20UserPrincipalName%2C%20UserDisplayName%0A%20%20%20%20)%20on%20%24left.id_%20%3D%3D%20%24right.UserId%0A%7C%20summarize%20by%20id_%2C%20userPrincipalName_%2C%20%20UserPrincipalName%20%2F%2F%2C%20UserId%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20could%20also%20look%20at%20the%20Workbook%20called%20%22Azure%20AD%20Auditlogs%22%20for%20the%20KQL%20it%20uses%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I am trying to to track down what one would seem to be a seemingly basic task - When and Who created a particular user in AAD? I believe I have been able to answer part of the question, the when. I see a timestamp in the AuditLogs specific to the 'Add User' OperationName - Excellent!

 

The other part however leaves me wondering if the data exists or if its hidden somewhere in Azure and does not qualify to make into the standard AuditLogs. Who clicked the buttons to enable the user account? What I see is the following: 

 

InitiatedBy
{"app":{"displayName":"Microsoft Substrate Management","servicePrincipalName":null,"servicePrincipalId":"ad#4b51d9-dqw5-87d9-827c-t9c07s4284#31","appId":null}​}

 

I have randomized the servicePrincipalId

 

So safe to say this was likely a service/process or script that kicked off to create the user account in AAD. The question is, who set the script in motion? Does anyone have any experience with this and is there a way to prove non-repudiation for this type of event? Many Thanks!

1 Reply

@TheriumSec 

 

I'm not sure If I solved this, but I did save this query

 

 AuditLogs
| where OperationName   == "Add user"
| extend displayName_   = tostring(parse_json(tostring(InitiatedBy.user)).displayName)
| extend id_            = tostring(parse_json(tostring(InitiatedBy.user)).id)
| extend ipAddress_     = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
| extend roles_         = tostring(parse_json(tostring(parse_json(tostring(InitiatedBy.user)).roles)))
| extend userPrincipalName_ = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| join
    (
        SigninLogs
        | project UserId, UserPrincipalName, UserDisplayName
    ) on $left.id_ == $right.UserId
| summarize by id_, userPrincipalName_,  UserPrincipalName //, UserId



You could also look at the Workbook called "Azure AD Auditlogs" for the KQL it uses?