cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Sentinel Assitance - KQL Query

BrandonConn007
Copper Contributor

‎Jan 10 2024 08:08 AM

‎Jan 10 2024 08:08 AM

Sentinel Assitance - KQL Query

Hey!
Looking for assistance with creating a KQL query that can look at members of approx. 15 dynamic security groups and identify if they have any SharePoint site permissions across a tenant. My assumption is that the query will include a join between IdentityInfo and OfficeActivity but I'm not even sure the information I'm looking for will be in the OfficeActivity table. 

Thanks, 
Brandon

Labels:
603 Views
0 Likes
3 Replies
Reply
3 Replies
Clive_Watson

‎Jan 10 2024 09:17 AM

‎Jan 10 2024 09:17 AM

Re: Sentinel Assitance - KQL Query

@BrandonConn007 

 

Do you need to know which permission or the fact they have some?

This will look at usage of SharePoint (with any permission) and enables you to add your 15 groups.
You firstly need to edit line #1 for your groups. 
 

let myGroups = dynamic(["group 1","Group2","Add the next 13 groups here"]);
SigninLogs
// did they logon successfully and also have Sharepoint acticity
| where ResultType == "0"
| summarize SharePointactivity=countif(AppDisplayName has 'SharePoint') by UserPrincipalName, AppDisplayName
| join
(
    IdentityInfo
    // check these groups for membership
    | where GroupMembership has_any(myGroups)
    | summarize listGroups=make_set(array_sort_asc(GroupMembership)) by UserPrincipalName=AccountUPN
) on UserPrincipalName
// only show when we have seen sharepoint usage
| where SharePointactivity > 0
| project-away UserPrincipalName1

 

0 Likes
Reply
BrandonConn007

‎Jan 10 2024 09:25 AM

‎Jan 10 2024 09:25 AM

Re: Sentinel Assitance - KQL Query

Ideally, I would just like to know if they have any permission to a particular SPO site. Because of an incorrect rule syntax, they may have been granted access to a SPO site they should not. So, this would be to audit that activity to identify if ANY from those dynamic groups have ANY access to those SPO sites (tenant wide). Big net I know :(
0 Likes
Reply
Clive_Watson

‎Jan 10 2024 09:56 AM

‎Jan 10 2024 09:56 AM

Re: Sentinel Assitance - KQL Query

@BrandonConn007 


So now you can join to OfficeActivity and see which sites they accessed, the [Operation] column can give you an idea on permissions e.g. if they have created or modified they wont be read only etc...

To tune this you could add in a LET statement with a list of the specific SPO sites you want to monitor. You may also want to play with the final line, as you may need to show different columns to the ones I choose?  

let myGroups = dynamic(["Group 1","Group2","Add the next 13 groups here"]);
SigninLogs
// did they logon successfully and also have Sharepoint acticity
| where ResultType == "0"
| summarize SharePointactivity=countif(AppDisplayName ==  'Office 365 SharePoint Online') by UserPrincipalName, AppDisplayName
| join
(
    IdentityInfo
    // check these groups for membership
    //| where GroupMembership has_any(myGroups)
    | summarize listGroups=make_set(array_sort_asc(GroupMembership)) by UserPrincipalName=AccountUPN
) on UserPrincipalName
| extend UserPrincipalName= tolower(UserPrincipalName)
// only show when we have seen sharepoint usage
| where SharePointactivity > 0
| project-away UserPrincipalName1
| join 
(
OfficeActivity
| where OfficeObjectId has "sharepoint"
| extend UserPrincipalName = UserId
) on UserPrincipalName
| summarize by  UserPrincipalName, RecordType, Operation, Site_Url, AppDisplayName

 

1 Like
Reply