Feb 05 2021 04:03 PM
Hi all,
I would like to create a KQL query that can alert when a user has been added to a Azure Security Group. What would be the best way to create this query?
Thanks in advance,
Janice
Feb 07 2021 11:53 AM
@JCSBCH123 Look at the AuditLogs table and check for the "Add member to group" and probably "Add owner to group" in the OperationName field
Feb 09 2021 03:07 PM - edited Feb 09 2021 03:07 PM
SolutionHi
Hi i'm assuming that you have already Log analytics and you have integrated Azure AD logs
If not you can to your directory blade
https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview
In the monitoring section go to Sign-ins and then Export Data Settings .
You will be able to add the following diagnostic settings :
Click on +Add diagnostic setting
Give a name to the diagnostic setting
In the category details Select at least Audit Logs and SignLogs
In the Destination select at least Send to Log Analytics workspace ( if it's a prod subscription i strongly recommend to archive the logs also ) .
Then select the subscription and an existing workspace will be populated .If not you have to create it.
Once done Azure Monitor blade
https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview
Go to alerts then click on New alert rule
In the Scope section select the resource that should be the log analytics where you are sending the Azure Active Directory logs
In the condition section you configure the signal logic as Custom Log Search ( by default 6 evaluations are done in 30 min but you can customize the time range .
In the search query block copy paste the following query (formatted) :
AuditLogs
| where OperationName in ('Add member to group', 'Add owner to group', 'Remove member from group', 'Remove owner from group')
For the alert logic put 0 for the value of Threshold and click on done .
Now the alert need to be send to someone or a group for that
you can configure and action group where notification can be Email/SMS message/Push/Voice
The action type can be Automation Runbook ITSM Webhook ...
Finally you can define the alert rule details (example in attached files)
Once done you can do the test to verify if you can have a result to your query
Add a member to a group and remove it
Add an owner to a group and remove it
You should receive an email like the one in attachments
Hope that will help if yes you can mark it as anwser
Feb 09 2021 03:07 PM - edited Feb 09 2021 03:07 PM
SolutionHi
Hi i'm assuming that you have already Log analytics and you have integrated Azure AD logs
If not you can to your directory blade
https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview
In the monitoring section go to Sign-ins and then Export Data Settings .
You will be able to add the following diagnostic settings :
Click on +Add diagnostic setting
Give a name to the diagnostic setting
In the category details Select at least Audit Logs and SignLogs
In the Destination select at least Send to Log Analytics workspace ( if it's a prod subscription i strongly recommend to archive the logs also ) .
Then select the subscription and an existing workspace will be populated .If not you have to create it.
Once done Azure Monitor blade
https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview
Go to alerts then click on New alert rule
In the Scope section select the resource that should be the log analytics where you are sending the Azure Active Directory logs
In the condition section you configure the signal logic as Custom Log Search ( by default 6 evaluations are done in 30 min but you can customize the time range .
In the search query block copy paste the following query (formatted) :
AuditLogs
| where OperationName in ('Add member to group', 'Add owner to group', 'Remove member from group', 'Remove owner from group')
For the alert logic put 0 for the value of Threshold and click on done .
Now the alert need to be send to someone or a group for that
you can configure and action group where notification can be Email/SMS message/Push/Voice
The action type can be Automation Runbook ITSM Webhook ...
Finally you can define the alert rule details (example in attached files)
Once done you can do the test to verify if you can have a result to your query
Add a member to a group and remove it
Add an owner to a group and remove it
You should receive an email like the one in attachments
Hope that will help if yes you can mark it as anwser