Cyber résilience & les Solutions Microsoft

Modify Credentials Entra Connect App Identity

par

admin
dans

Cette requête permet de :

  • Surveiller les modifications sensibles sur les identités d’application Azure AD Connect.
  • Détecter les ajouts de clés, certificats ou identifiants fédérés.
  • Identifier qui a initié l’action, avec IP et contexte.
let EntraConnectAppIdentities = OAuthAppInfo
| where parse_json(Permissions) has 'ADSynchronization.ReadWrite.All'
| summarize by AppName;
  AuditLogs
  | where OperationName has_any ("Add service principal", "Certificates and secrets management", "Update application")
  | where Result =~ "success"
  | mv-apply TargetResource = TargetResources on 
      (
      where TargetResource.type =~ "Application" or TargetResource.type =~ "ServicePrincipal"
      | extend
          TargetName = tostring(TargetResource.displayName),
          TargetObjectType = tostring(TargetResource.type),          
          ResourceId = tostring(TargetResource.id),
          AddedKeyEvent = TargetResource.modifiedProperties
      )
| where TargetName in~ (EntraConnectAppIdentities)
| extend InitiatingBy = iff(isnotempty(InitiatedBy.user.id), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))
| extend InitiatingUserOrAppId = iff(isnotempty(InitiatedBy.user.id), tostring(InitiatedBy.user.id), tostring(InitiatedBy.app.servicePrincipalId))
| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))
  | mv-apply Property = AddedKeyEvent on 
      (
      where Property.displayName =~ "KeyDescription" or Property.displayName =~ "FederatedIdentityCredentials"
      | extend
          OldValue = parse_json(tostring(Property.newValue)),
          NewValue = parse_json(tostring(Property.oldValue))
      )
  | extend diff = set_difference(NewValue, OldValue)
  | parse diff with * "KeyIdentifier=" keyIdentifier: string ",KeyType=" keyType: string ",KeyUsage=" keyUsage: string ",DisplayName=" keyDisplayName: string "]" *
| project ActivityDateTime, ActivityDisplayName, CorrelationId, Result, TargetName, TargetObjectType, InitiatingBy, InitiatingIpAddress, AddedKeyEvent, AddedKeyId = keyIdentifier, OldValue, NewValue

Commentaires

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Conçu avec WordPress