Cette requête permet de :
- Auditer les accès au groupe BreakGlass sur 2 ans.
- Identifier les utilisateurs ajoutés et retirés, avec les initiateurs.
- Calculer le temps passé dans le groupe, utile pour détecter les abus ou oublis de retrait.
let BreakGlass = dynamic(["GUID"]);
AuditLogs
| where TimeGenerated > ago(730d)
| where OperationName in("Add member to group", "Remove member from group")
| where TargetResources has_any (BreakGlass)
| project TimeGenerated, AADTenantId, TargetResources, OperationName, InitiatedBy
| extend
TargetId = tostring(TargetResources[0].id),
TargetUser = tostring(TargetResources[0].userPrincipalName),
TargetGroup = trim('"', tostring(coalesce(TargetResources[0].modifiedProperties[0].oldValue, TargetResources[0].modifiedProperties[0].newValue))),
SourceId = tostring(InitiatedBy.user.id),
SourceUser = tostring(InitiatedBy.user.userPrincipalName),
SourceIP = tostring(InitiatedBy.user.ipAddress)
| project-away TargetResources, InitiatedBy
| where TargetGroup in (BreakGlass)
| sort by TargetId asc, TimeGenerated asc
| scan with_match_id=Funnel declare (AddedDate: datetime, RemovedDate: datetime) with (
step Added: OperationName == "Add member to group" => AddedDate = TimeGenerated;
step Removed: OperationName == "Remove member from group" and TargetId == Added.TargetId and TargetGroup == Added.TargetGroup => RemovedDate = TimeGenerated, AddedDate = Added.TimeGenerated;
)
| summarize arg_max(TimeGenerated, *) by Funnel, TargetId, TargetGroup
| extend HoursInGroup = case (isnotempty(RemovedDate), datetime_diff('hour', RemovedDate, AddedDate), datetime_diff('hour', now(), AddedDate))
Laisser un commentaire