From 6dcf8bba6ff6ef726aea2f41a39069b4200ac98d Mon Sep 17 00:00:00 2001 From: Peter Bons Date: Fri, 8 Mar 2024 08:36:58 +0100 Subject: [PATCH 1/4] Rename to Entra ID --- .../Alerts/README | 0 .../Queries/Audit/Provisioned objects by day.kql | 0 .../Queries/Audit/Provisioning actions for the last week.kql | 0 .../Queries/Audit/Provisioning errors.kql | 0 .../Queries/Security/Inactive Service Principals.kql | 0 .../Queries/Security/Most active IP Addresses.kql | 0 .../Queries/Security/Most active Managed Identities.kql | 0 .../Queries/Security/Most active Service Principals.kql | 0 .../Queries/Security/Users with multiple cities.kql | 0 .../Workbooks/README | 0 .../{Azure Active Directory => Azure Entra ID}/Alerts/README | 0 .../{Azure Active Directory => Azure Entra ID}/Queries/README | 0 .../{Azure Active Directory => Azure Entra ID}/Workbooks/README | 0 13 files changed, 0 insertions(+), 0 deletions(-) rename Azure Services/{Azure Active Directory Logs => Azure Entra ID Logs}/Alerts/README (100%) rename Azure Services/{Azure Active Directory Logs => Azure Entra ID Logs}/Queries/Audit/Provisioned objects by day.kql (100%) rename Azure Services/{Azure Active Directory Logs => Azure Entra ID Logs}/Queries/Audit/Provisioning actions for the last week.kql (100%) rename Azure Services/{Azure Active Directory Logs => Azure Entra ID Logs}/Queries/Audit/Provisioning errors.kql (100%) rename Azure Services/{Azure Active Directory Logs => Azure Entra ID Logs}/Queries/Security/Inactive Service Principals.kql (100%) rename Azure Services/{Azure Active Directory Logs => Azure Entra ID Logs}/Queries/Security/Most active IP Addresses.kql (100%) rename Azure Services/{Azure Active Directory Logs => Azure Entra ID Logs}/Queries/Security/Most active Managed Identities.kql (100%) rename Azure Services/{Azure Active Directory Logs => Azure Entra ID Logs}/Queries/Security/Most active Service Principals.kql (100%) rename Azure Services/{Azure Active Directory Logs => Azure Entra ID Logs}/Queries/Security/Users with multiple cities.kql (100%) rename Azure Services/{Azure Active Directory Logs => Azure Entra ID Logs}/Workbooks/README (100%) rename Azure Services/{Azure Active Directory => Azure Entra ID}/Alerts/README (100%) rename Azure Services/{Azure Active Directory => Azure Entra ID}/Queries/README (100%) rename Azure Services/{Azure Active Directory => Azure Entra ID}/Workbooks/README (100%) diff --git a/Azure Services/Azure Active Directory Logs/Alerts/README b/Azure Services/Azure Entra ID Logs/Alerts/README similarity index 100% rename from Azure Services/Azure Active Directory Logs/Alerts/README rename to Azure Services/Azure Entra ID Logs/Alerts/README diff --git a/Azure Services/Azure Active Directory Logs/Queries/Audit/Provisioned objects by day.kql b/Azure Services/Azure Entra ID Logs/Queries/Audit/Provisioned objects by day.kql similarity index 100% rename from Azure Services/Azure Active Directory Logs/Queries/Audit/Provisioned objects by day.kql rename to Azure Services/Azure Entra ID Logs/Queries/Audit/Provisioned objects by day.kql diff --git a/Azure Services/Azure Active Directory Logs/Queries/Audit/Provisioning actions for the last week.kql b/Azure Services/Azure Entra ID Logs/Queries/Audit/Provisioning actions for the last week.kql similarity index 100% rename from Azure Services/Azure Active Directory Logs/Queries/Audit/Provisioning actions for the last week.kql rename to Azure Services/Azure Entra ID Logs/Queries/Audit/Provisioning actions for the last week.kql diff --git a/Azure Services/Azure Active Directory Logs/Queries/Audit/Provisioning errors.kql b/Azure Services/Azure Entra ID Logs/Queries/Audit/Provisioning errors.kql similarity index 100% rename from Azure Services/Azure Active Directory Logs/Queries/Audit/Provisioning errors.kql rename to Azure Services/Azure Entra ID Logs/Queries/Audit/Provisioning errors.kql diff --git a/Azure Services/Azure Active Directory Logs/Queries/Security/Inactive Service Principals.kql b/Azure Services/Azure Entra ID Logs/Queries/Security/Inactive Service Principals.kql similarity index 100% rename from Azure Services/Azure Active Directory Logs/Queries/Security/Inactive Service Principals.kql rename to Azure Services/Azure Entra ID Logs/Queries/Security/Inactive Service Principals.kql diff --git a/Azure Services/Azure Active Directory Logs/Queries/Security/Most active IP Addresses.kql b/Azure Services/Azure Entra ID Logs/Queries/Security/Most active IP Addresses.kql similarity index 100% rename from Azure Services/Azure Active Directory Logs/Queries/Security/Most active IP Addresses.kql rename to Azure Services/Azure Entra ID Logs/Queries/Security/Most active IP Addresses.kql diff --git a/Azure Services/Azure Active Directory Logs/Queries/Security/Most active Managed Identities.kql b/Azure Services/Azure Entra ID Logs/Queries/Security/Most active Managed Identities.kql similarity index 100% rename from Azure Services/Azure Active Directory Logs/Queries/Security/Most active Managed Identities.kql rename to Azure Services/Azure Entra ID Logs/Queries/Security/Most active Managed Identities.kql diff --git a/Azure Services/Azure Active Directory Logs/Queries/Security/Most active Service Principals.kql b/Azure Services/Azure Entra ID Logs/Queries/Security/Most active Service Principals.kql similarity index 100% rename from Azure Services/Azure Active Directory Logs/Queries/Security/Most active Service Principals.kql rename to Azure Services/Azure Entra ID Logs/Queries/Security/Most active Service Principals.kql diff --git a/Azure Services/Azure Active Directory Logs/Queries/Security/Users with multiple cities.kql b/Azure Services/Azure Entra ID Logs/Queries/Security/Users with multiple cities.kql similarity index 100% rename from Azure Services/Azure Active Directory Logs/Queries/Security/Users with multiple cities.kql rename to Azure Services/Azure Entra ID Logs/Queries/Security/Users with multiple cities.kql diff --git a/Azure Services/Azure Active Directory Logs/Workbooks/README b/Azure Services/Azure Entra ID Logs/Workbooks/README similarity index 100% rename from Azure Services/Azure Active Directory Logs/Workbooks/README rename to Azure Services/Azure Entra ID Logs/Workbooks/README diff --git a/Azure Services/Azure Active Directory/Alerts/README b/Azure Services/Azure Entra ID/Alerts/README similarity index 100% rename from Azure Services/Azure Active Directory/Alerts/README rename to Azure Services/Azure Entra ID/Alerts/README diff --git a/Azure Services/Azure Active Directory/Queries/README b/Azure Services/Azure Entra ID/Queries/README similarity index 100% rename from Azure Services/Azure Active Directory/Queries/README rename to Azure Services/Azure Entra ID/Queries/README diff --git a/Azure Services/Azure Active Directory/Workbooks/README b/Azure Services/Azure Entra ID/Workbooks/README similarity index 100% rename from Azure Services/Azure Active Directory/Workbooks/README rename to Azure Services/Azure Entra ID/Workbooks/README From 20fd205f26ffaecbd4e17056bd30406eca2e5563 Mon Sep 17 00:00:00 2001 From: Peter Bons Date: Fri, 8 Mar 2024 08:37:45 +0100 Subject: [PATCH 2/4] Add PIM overview --- ...tity Management requests and approvals.kql | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 Azure Services/Azure Entra ID Logs/Queries/Audit/Priviliged Identity Management requests and approvals.kql diff --git a/Azure Services/Azure Entra ID Logs/Queries/Audit/Priviliged Identity Management requests and approvals.kql b/Azure Services/Azure Entra ID Logs/Queries/Audit/Priviliged Identity Management requests and approvals.kql new file mode 100644 index 00000000..76a25cbc --- /dev/null +++ b/Azure Services/Azure Entra ID Logs/Queries/Audit/Priviliged Identity Management requests and approvals.kql @@ -0,0 +1,29 @@ +// Author: Expecho +// Display name: Privileged Identity Management activations and approvals +// Description: View Privileged Identity Management role activations and approvals +// Categories: Audit +// Resource types: Azure Entra ID +// Topic: Audit + +AuditLogs +| where LoggedByService == "PIM" +| where AADOperationType == "ActivateRole" +| project + TimeGenerated, + Reason = ResultReason, + Result, + Requestor = Identity, + Category, + Role = tostring(TargetResources[0].displayName), + ResourceName = tostring(TargetResources[3].displayName), + ResourceType = tostring(TargetResources[3].type), + Start = iif(Category == "GroupManagement", todatetime(AdditionalDetails[2].value), todatetime(AdditionalDetails[3].value)), + End = iif(Category == "GroupManagement", todatetime(AdditionalDetails[3].value), todatetime(AdditionalDetails[4].value)), + CorrelationId +| join kind=leftouter ( + AuditLogs + | where LoggedByService == "PIM" + | where AADOperationType == "ApproveRoleActivation" + | project CorrelationId, ApprovalMessage = ResultDescription, Approver = Identity, Approved = Result) + on CorrelationId +| distinct TimeGenerated, Requestor, Reason, Approver, ApprovalMessage, Category, Role, ResourceName, ResourceType, Start, End \ No newline at end of file From 739f4db3f6e06f963b0c3b40988f092841cc3937 Mon Sep 17 00:00:00 2001 From: Peter Bons Date: Fri, 8 Mar 2024 08:40:39 +0100 Subject: [PATCH 3/4] Microsoft Entra ID instead of Azure Entra ID --- .../Alerts/README | 0 .../Priviliged Identity Management requests and approvals.kql | 2 +- .../Queries/Audit/Provisioned objects by day.kql | 0 .../Queries/Audit/Provisioning actions for the last week.kql | 0 .../Queries/Audit/Provisioning errors.kql | 0 .../Queries/Security/Inactive Service Principals.kql | 0 .../Queries/Security/Most active IP Addresses.kql | 0 .../Queries/Security/Most active Managed Identities.kql | 0 .../Queries/Security/Most active Service Principals.kql | 0 .../Queries/Security/Users with multiple cities.kql | 0 .../Workbooks/README | 0 .../{Azure Entra ID => Microsoft Entra ID}/Alerts/README | 0 .../{Azure Entra ID => Microsoft Entra ID}/Queries/README | 0 .../{Azure Entra ID => Microsoft Entra ID}/Workbooks/README | 0 14 files changed, 1 insertion(+), 1 deletion(-) rename Azure Services/{Azure Entra ID Logs => Microsoft Entra ID Logs}/Alerts/README (100%) rename Azure Services/{Azure Entra ID Logs => Microsoft Entra ID Logs}/Queries/Audit/Priviliged Identity Management requests and approvals.kql (97%) rename Azure Services/{Azure Entra ID Logs => Microsoft Entra ID Logs}/Queries/Audit/Provisioned objects by day.kql (100%) rename Azure Services/{Azure Entra ID Logs => Microsoft Entra ID Logs}/Queries/Audit/Provisioning actions for the last week.kql (100%) rename Azure Services/{Azure Entra ID Logs => Microsoft Entra ID Logs}/Queries/Audit/Provisioning errors.kql (100%) rename Azure Services/{Azure Entra ID Logs => Microsoft Entra ID Logs}/Queries/Security/Inactive Service Principals.kql (100%) rename Azure Services/{Azure Entra ID Logs => Microsoft Entra ID Logs}/Queries/Security/Most active IP Addresses.kql (100%) rename Azure Services/{Azure Entra ID Logs => Microsoft Entra ID Logs}/Queries/Security/Most active Managed Identities.kql (100%) rename Azure Services/{Azure Entra ID Logs => Microsoft Entra ID Logs}/Queries/Security/Most active Service Principals.kql (100%) rename Azure Services/{Azure Entra ID Logs => Microsoft Entra ID Logs}/Queries/Security/Users with multiple cities.kql (100%) rename Azure Services/{Azure Entra ID Logs => Microsoft Entra ID Logs}/Workbooks/README (100%) rename Azure Services/{Azure Entra ID => Microsoft Entra ID}/Alerts/README (100%) rename Azure Services/{Azure Entra ID => Microsoft Entra ID}/Queries/README (100%) rename Azure Services/{Azure Entra ID => Microsoft Entra ID}/Workbooks/README (100%) diff --git a/Azure Services/Azure Entra ID Logs/Alerts/README b/Azure Services/Microsoft Entra ID Logs/Alerts/README similarity index 100% rename from Azure Services/Azure Entra ID Logs/Alerts/README rename to Azure Services/Microsoft Entra ID Logs/Alerts/README diff --git a/Azure Services/Azure Entra ID Logs/Queries/Audit/Priviliged Identity Management requests and approvals.kql b/Azure Services/Microsoft Entra ID Logs/Queries/Audit/Priviliged Identity Management requests and approvals.kql similarity index 97% rename from Azure Services/Azure Entra ID Logs/Queries/Audit/Priviliged Identity Management requests and approvals.kql rename to Azure Services/Microsoft Entra ID Logs/Queries/Audit/Priviliged Identity Management requests and approvals.kql index 76a25cbc..1d6dabb7 100644 --- a/Azure Services/Azure Entra ID Logs/Queries/Audit/Priviliged Identity Management requests and approvals.kql +++ b/Azure Services/Microsoft Entra ID Logs/Queries/Audit/Priviliged Identity Management requests and approvals.kql @@ -2,7 +2,7 @@ // Display name: Privileged Identity Management activations and approvals // Description: View Privileged Identity Management role activations and approvals // Categories: Audit -// Resource types: Azure Entra ID +// Resource types: Microsoft Entra ID // Topic: Audit AuditLogs diff --git a/Azure Services/Azure Entra ID Logs/Queries/Audit/Provisioned objects by day.kql b/Azure Services/Microsoft Entra ID Logs/Queries/Audit/Provisioned objects by day.kql similarity index 100% rename from Azure Services/Azure Entra ID Logs/Queries/Audit/Provisioned objects by day.kql rename to Azure Services/Microsoft Entra ID Logs/Queries/Audit/Provisioned objects by day.kql diff --git a/Azure Services/Azure Entra ID Logs/Queries/Audit/Provisioning actions for the last week.kql b/Azure Services/Microsoft Entra ID Logs/Queries/Audit/Provisioning actions for the last week.kql similarity index 100% rename from Azure Services/Azure Entra ID Logs/Queries/Audit/Provisioning actions for the last week.kql rename to Azure Services/Microsoft Entra ID Logs/Queries/Audit/Provisioning actions for the last week.kql diff --git a/Azure Services/Azure Entra ID Logs/Queries/Audit/Provisioning errors.kql b/Azure Services/Microsoft Entra ID Logs/Queries/Audit/Provisioning errors.kql similarity index 100% rename from Azure Services/Azure Entra ID Logs/Queries/Audit/Provisioning errors.kql rename to Azure Services/Microsoft Entra ID Logs/Queries/Audit/Provisioning errors.kql diff --git a/Azure Services/Azure Entra ID Logs/Queries/Security/Inactive Service Principals.kql b/Azure Services/Microsoft Entra ID Logs/Queries/Security/Inactive Service Principals.kql similarity index 100% rename from Azure Services/Azure Entra ID Logs/Queries/Security/Inactive Service Principals.kql rename to Azure Services/Microsoft Entra ID Logs/Queries/Security/Inactive Service Principals.kql diff --git a/Azure Services/Azure Entra ID Logs/Queries/Security/Most active IP Addresses.kql b/Azure Services/Microsoft Entra ID Logs/Queries/Security/Most active IP Addresses.kql similarity index 100% rename from Azure Services/Azure Entra ID Logs/Queries/Security/Most active IP Addresses.kql rename to Azure Services/Microsoft Entra ID Logs/Queries/Security/Most active IP Addresses.kql diff --git a/Azure Services/Azure Entra ID Logs/Queries/Security/Most active Managed Identities.kql b/Azure Services/Microsoft Entra ID Logs/Queries/Security/Most active Managed Identities.kql similarity index 100% rename from Azure Services/Azure Entra ID Logs/Queries/Security/Most active Managed Identities.kql rename to Azure Services/Microsoft Entra ID Logs/Queries/Security/Most active Managed Identities.kql diff --git a/Azure Services/Azure Entra ID Logs/Queries/Security/Most active Service Principals.kql b/Azure Services/Microsoft Entra ID Logs/Queries/Security/Most active Service Principals.kql similarity index 100% rename from Azure Services/Azure Entra ID Logs/Queries/Security/Most active Service Principals.kql rename to Azure Services/Microsoft Entra ID Logs/Queries/Security/Most active Service Principals.kql diff --git a/Azure Services/Azure Entra ID Logs/Queries/Security/Users with multiple cities.kql b/Azure Services/Microsoft Entra ID Logs/Queries/Security/Users with multiple cities.kql similarity index 100% rename from Azure Services/Azure Entra ID Logs/Queries/Security/Users with multiple cities.kql rename to Azure Services/Microsoft Entra ID Logs/Queries/Security/Users with multiple cities.kql diff --git a/Azure Services/Azure Entra ID Logs/Workbooks/README b/Azure Services/Microsoft Entra ID Logs/Workbooks/README similarity index 100% rename from Azure Services/Azure Entra ID Logs/Workbooks/README rename to Azure Services/Microsoft Entra ID Logs/Workbooks/README diff --git a/Azure Services/Azure Entra ID/Alerts/README b/Azure Services/Microsoft Entra ID/Alerts/README similarity index 100% rename from Azure Services/Azure Entra ID/Alerts/README rename to Azure Services/Microsoft Entra ID/Alerts/README diff --git a/Azure Services/Azure Entra ID/Queries/README b/Azure Services/Microsoft Entra ID/Queries/README similarity index 100% rename from Azure Services/Azure Entra ID/Queries/README rename to Azure Services/Microsoft Entra ID/Queries/README diff --git a/Azure Services/Azure Entra ID/Workbooks/README b/Azure Services/Microsoft Entra ID/Workbooks/README similarity index 100% rename from Azure Services/Azure Entra ID/Workbooks/README rename to Azure Services/Microsoft Entra ID/Workbooks/README From 6bca212cf154c71e1507e2b8962660c72914c2c1 Mon Sep 17 00:00:00 2001 From: Peter Bons Date: Thu, 2 May 2024 15:18:26 +0200 Subject: [PATCH 4/4] Reflect schema changes --- ...iged Identity Management requests and approvals.kql | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/Azure Services/Microsoft Entra ID Logs/Queries/Audit/Priviliged Identity Management requests and approvals.kql b/Azure Services/Microsoft Entra ID Logs/Queries/Audit/Priviliged Identity Management requests and approvals.kql index 1d6dabb7..d987e7ab 100644 --- a/Azure Services/Microsoft Entra ID Logs/Queries/Audit/Priviliged Identity Management requests and approvals.kql +++ b/Azure Services/Microsoft Entra ID Logs/Queries/Audit/Priviliged Identity Management requests and approvals.kql @@ -6,8 +6,9 @@ // Topic: Audit AuditLogs +| where TimeGenerated > ago(30d) | where LoggedByService == "PIM" -| where AADOperationType == "ActivateRole" +| where OperationName == "Add member to role completed (PIM activation)" | project TimeGenerated, Reason = ResultReason, @@ -22,8 +23,9 @@ AuditLogs CorrelationId | join kind=leftouter ( AuditLogs + | where TimeGenerated > ago(30d) | where LoggedByService == "PIM" - | where AADOperationType == "ApproveRoleActivation" - | project CorrelationId, ApprovalMessage = ResultDescription, Approver = Identity, Approved = Result) + | where OperationName == "Add member to role request approved (PIM activation)" + | project CorrelationId, Approval = ResultDescription, Approver = Identity, Approved = Result) on CorrelationId -| distinct TimeGenerated, Requestor, Reason, Approver, ApprovalMessage, Category, Role, ResourceName, ResourceType, Start, End \ No newline at end of file +| distinct TimeGenerated, Requestor, Reason, Approver, Approval, Category, Role, ResourceName, ResourceType, Start, End \ No newline at end of file