Entra ID role adds in the last 7 days

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

---

This query looks for Entra ID role adds identified by Microsoft Defender for Cloud Apps. It will require an corresponding app connector in Microsoft Defender for Cloud Apps.

Attribute	Value
Type	Hunting Query
Solution	GitHub Only
ID	d7f6e5c4-b3a2-4e9f-8d7c-6a5b4c3d2e1f
Tactics	Privilege Escalation
Techniques	T1548
Required Connectors	MicrosoftThreatProtection
Source	[View on GitHub](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/Microsoft%20365%20Defender/Cloud%20Apps/aad-role-adds.yaml)

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Hunting Queries