Extract AzureAD "Groups" Audit Logs from Azure Sentinel

New Contributor

Hi All,

As the title would say. I am looking at a simple KQL that would allow us to retrieve Azure AD Groups Audit logs from Sentinel as we all know that Azure AD only retains this data for 30 days. Any help will be HIGHLY appreciated!

2 Replies
I did something similar earlier, how about: AuditLogs |where OperationName contains "group" This should give you a good start then you can add more to the query to reduce the noise.
Test this, which sortof works... Will try the above...

//Summarize all groups that have had users added to them via dynamic rules

//Data connector required for this query - Azure Active Directory - Audit Logs

AuditLogs
| where TimeGenerated > ago(90d)
| where OperationName == "Add member to group"
//| where Identity == "Microsoft Approval Management"
| where TargetResources[0].type == "User"
| extend GroupName = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))
| extend User = tostring(TargetResources[0].userPrincipalName)
| summarize ['Count of Users Added']=dcount(User), ['List of Users Added']=make_set(User) by GroupName
| sort by GroupName asc