Forum Discussion
Solved
KQL for AAD Group Add & Remove User
Hi all, I would like to create a KQL query that can alert when a user has been added to a Azure Security Group. What would be the best way to create this query? Thanks in advance, Janice
Hi
Hi i'm assuming that you have already Log analytics and you have integrated Azure AD logs
If not you can to your directory blade
https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview
In the monitoring section go to Sign-ins and then Export Data Settings .
You will be able to add the following diagnostic settings :
- AuditLogs
- SignInLogs
- NonInteractiveUserSignInLogs
- ServicePrincipalSignInLogs
- ManagedIdentitySignInLogs
- ProvisioningLogs
Click on +Add diagnostic setting
Give a name to the diagnostic setting
In the category details Select at least Audit Logs and SignLogs
In the Destination select at least Send to Log Analytics workspace ( if it's a prod subscription i strongly recommend to archive the logs also ) .
Then select the subscription and an existing workspace will be populated .If not you have to create it.
Once done Azure Monitor blade
https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview
Go to alerts then click on New alert rule
In the Scope section select the resource that should be the log analytics where you are sending the Azure Active Directory logs
In the condition section you configure the signal logic as Custom Log Search ( by default 6 evaluations are done in 30 min but you can customize the time range .
In the search query block copy paste the following query (formatted) :
AuditLogs
| where OperationName in ('Add member to group', 'Add owner to group', 'Remove member from group', 'Remove owner from group')For the alert logic put 0 for the value of Threshold and click on done .
Now the alert need to be send to someone or a group for that
you can configure and action group where notification can be Email/SMS message/Push/Voice
The action type can be Automation Runbook ITSM Webhook ...
Finally you can define the alert rule details (example in attached files)
Once done you can do the test to verify if you can have a result to your query
Add a member to a group and remove it
Add an owner to a group and remove it
You should receive an email like the one in attachments
Hope that will help if yes you can mark it as anwser
Hi
Hi i'm assuming that you have already Log analytics and you have integrated Azure AD logs
If not you can to your directory blade
https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview
In the monitoring section go to Sign-ins and then Export Data Settings .
You will be able to add the following diagnostic settings :
- AuditLogs
- SignInLogs
- NonInteractiveUserSignInLogs
- ServicePrincipalSignInLogs
- ManagedIdentitySignInLogs
- ProvisioningLogs
Click on +Add diagnostic setting
Give a name to the diagnostic setting
In the category details Select at least Audit Logs and SignLogs
In the Destination select at least Send to Log Analytics workspace ( if it's a prod subscription i strongly recommend to archive the logs also ) .
Then select the subscription and an existing workspace will be populated .If not you have to create it.
Once done Azure Monitor blade
https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/overview
Go to alerts then click on New alert rule
In the Scope section select the resource that should be the log analytics where you are sending the Azure Active Directory logs
In the condition section you configure the signal logic as Custom Log Search ( by default 6 evaluations are done in 30 min but you can customize the time range .
In the search query block copy paste the following query (formatted) :
AuditLogs
| where OperationName in ('Add member to group', 'Add owner to group', 'Remove member from group', 'Remove owner from group')
For the alert logic put 0 for the value of Threshold and click on done .
Now the alert need to be send to someone or a group for that
you can configure and action group where notification can be Email/SMS message/Push/Voice
The action type can be Automation Runbook ITSM Webhook ...
Finally you can define the alert rule details (example in attached files)
Once done you can do the test to verify if you can have a result to your query
Add a member to a group and remove it
Add an owner to a group and remove it
You should receive an email like the one in attachments
Hope that will help if yes you can mark it as anwser
