microsoft / Azure-Threat-Research-Matrix

MIT License
70 stars 23 forks source link

AZT402 Query is Invalid #16

Open bradb2145 opened 11 months ago

bradb2145 commented 11 months ago

The query for AZT402 - Elevated Access Toggle does not appear to be valid.

AuditLogs | where ActivityDisplayName == 'Assigns the caller to User Access Administrator role'

In my testing these 'Directory Activity' logs are not exported to AuditLogs (nor to ActivityLogs). I am engaging support but fear the answer is that these logs are not currently exportable.

Edit: Support seems to concur that these logs are not currently exportable. I have found that you can at least retrieve these events from the Tenant Activity API endpoint https://learn.microsoft.com/en-us/rest/api/monitor/tenant-activity-logs/list?view=rest-monitor-2015-04-01&tabs=HTTP

Palciny commented 3 months ago

@bradb2145 we were dealing with the same problem. We fixes this by fetching data from API and pushing them to custom table. We run analytic rule on custom table.

But yeah, information in this web is incorrect.