Forum Discussion

Monkey_D_Luffy's avatar
Monkey_D_Luffy
Copper Contributor
Aug 14, 2023

Finetuning Sentinel alert for user added to Azure Active Directory Privileged Groups

I am here to ask for help with finetuning an alert in Sentinel. The alert is called "User added to Azure Active Directory Privileged Groups", and it's triggered when a user is added to a privileged g...
rockyseen's avatar
rockyseen
Copper Contributor
Dec 16, 2024

I know this is old but did you ever find anything for this, I have the exact same issue, the below didn't work, I did edit the query to this, which doesn't pick up activations but also doesn't pick up when new roles are added :

 

let OperationList = dynamic(["Add member to role", "Add member to role in PIM requested (permanent)"]);

let PrivilegedGroups = dynamic(["UserAccountAdmins", "PrivilegedRoleAdmins", "TenantAdmins"]);

AuditLogs

| where Category =~ "RoleManagement"

| where OperationName in~ (OperationList)

| mv-apply TargetResource = TargetResources on

  (

      where TargetResource.type =~ "User"

      | extend TargetUserPrincipalName = tostring(TargetResource.userPrincipalName),

               modProps = TargetResource.modifiedProperties

  )

| mv-apply Property = modProps on

  (

      where Property.displayName =~ "Role.WellKnownObjectName"

      | extend DisplayName = trim('"',tostring(Property.displayName)),

               GroupName = trim('"',tostring(Property.newValue))

  )

| extend InitiatingAppId = tostring(InitiatedBy.app.appId)

| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)

| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)

| extend InitiatingAppServicePrincipalName = tostring(InitiatedBy.app.servicePrincipalName)

| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)

| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)

| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))        

| extend InitiatingUserRoles = InitiatedBy.user.roles

| where GroupName in~ (PrivilegedGroups)

| where InitiatingAppName != "MS-PIM"

| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingAppName, InitiatingAppId, InitiatingAppServicePrincipalId, InitiatingIpAddress, InitiatingUserRoles, DisplayName, GroupName, TargetUserPrincipalName

| extend InitiatedByName = tostring(split(InitiatingUserPrincipalName,'@',0)[0]), InitiatedByUPNSuffix = tostring(split(InitiatingUserPrincipalName,'@',1)[0])

| extend TargetName = tostring(split(TargetUserPrincipalName,'@',0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,'@',1)[0])

Resources