I'm trying to create an Azure Alert to notify me when someone adds a user to an Azure Active Directory Group. I found the query below but its not working
SecurityEvent
| where EventID in (4728, 4729, 4732, 4733, 4756, 4757) and TargetAccount contains
"Admin"
and TimeGenerated > ago(24h)
| summarize AggregatedValue = count() by TargetAccount
| order by AggregatedValue desc
I'm trying to create an Azure Alert to notify me when someone adds a user to an Azure Active Directory Group.
I have used below KQL query to check the Azure AD group activity logs.
AuditLogs
| where OperationName contains "Add member to group"
| where TargetResources contains "newgrp"
| extend prop = parse_json(InitiatedBy)
| extend InitialedBy=prop.user.userPrincipalName
|project InitialedBy , TimeGenerated,OperationName,Category,InitiatedBy,Result,ActivityDisplayName
Output
If you want to check removed users from Azure AD Group, use below query.
AuditLogs
| where Category contains_cs "GroupManagement"
| where OperationName contains "Remove member from group"
| where TargetResources contains "newgrp"
| extend prop = parse_json(InitiatedBy)
| extend InitialedBy=prop.user.userPrincipalName
|project InitialedBy , TimeGenerated,OperationName,Category,InitiatedBy,Result,ActivityDisplayName
Output:
Create an alert by clicking New alert rule
Create an Action Group to trigger the email.
Once you add the user to the Azure AD Group, you will get the alert as below.
Alert triggered in portal
Received email
