Forum Discussion
Finetuning Sentinel alert for user added to Azure Active Directory Privileged Groups
I am here to ask for help with finetuning an alert in Sentinel. The alert is called "User added to Azure Active Directory Privileged Groups", and it's triggered when a user is added to a privileged group in Azure Active Directory.
The problem is that this alert is also triggered when IAM team members activate their PIM roles for day-to-day activities. This is not a security incident, and it's causing us to get a lot of false positives.
I'm trying to figure out a way to finetune the alert so that it's only triggered for actual security incidents. I am looking for ways or any ideas for finetuning the alert. to proceed with this further.
If you have any suggestions, please let me know.
2 Replies
I know this is old but did you ever find anything for this, I have the exact same issue, the below didn't work, I did edit the query to this, which doesn't pick up activations but also doesn't pick up when new roles are added :
let OperationList = dynamic(["Add member to role", "Add member to role in PIM requested (permanent)"]);
let PrivilegedGroups = dynamic(["UserAccountAdmins", "PrivilegedRoleAdmins", "TenantAdmins"]);
AuditLogs
| where Category =~ "RoleManagement"
| where OperationName in~ (OperationList)
| mv-apply TargetResource = TargetResources on
(
where TargetResource.type =~ "User"
| extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName),
modProps = TargetResource.modifiedProperties
)
| mv-apply Property = modProps on
(
where Property.displayName =~ "Role.WellKnownObjectName"
| extend DisplayName = trim('"',tostring(Property.displayName)),
GroupName = trim('"',tostring(Property.newValue))
)
| extend InitiatingAppId = tostring(InitiatedBy.app.appId)
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingAppServicePrincipalName = tostring(InitiatedBy.app.servicePrincipalName)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))
| extend InitiatingUserRoles = InitiatedBy.user.roles
| where GroupName in~ (PrivilegedGroups)
| where InitiatingAppName != "MS-PIM"
| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppId, InitiatingAppServicePrincipalId, InitiatingIpAddress, InitiatingUserRoles, DisplayName, GroupName, TargetUserPrincipalName
| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,'@',0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@',1)[0])
| extend TargetName = tostring(split(TargetUserPrincipalName,'@',0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,'@',1)[0])
- Hi,
If you choose to edit the rule analytics you can update the query under "set rule analytics".
Here you will just add
| where InitiatedByDisplayName != "MS-PIM"
This should be added under the row
| where GroupName in~ (PrivilegedGroups)
| where InitiatedByDisplayName != "MS-PIM"
Regards
Jimmy Lindö
