Forum Discussion

Rosine_LEROY's avatar
Rosine_LEROY
Copper Contributor
Oct 23, 2024

Find who activated and unified Microsoft Sentinel to Microsoft Defender XDR and when ?

Hello Everyone,

 

I'm trying to find an information regarding a configuration's change on Defender XDR.


I've looked everywhere to find out who activates and unifies Microsoft Sentinel with Microsoft Defender XDR and when?


Can you help me find this information either using the Defender XDR console or using KQL queries.


Thanks in advance for your help.

Kind regards,
Rosine

  • micheleariis's avatar
    micheleariis
    Steel Contributor

    Rosine_LEROY Hi, you can use or Azure Activity Logs

    Azure Activity Logs capture all control-plane events within your Azure subscription, including changes made to resources like Microsoft Sentinel and Defender XDR.

    1-Sign in to the Azure Portal:

    2-Go to https://portal.azure.com.

    Navigate to Activity Logs:

    Click on Monitor in the left-hand menu.
    Select Activity Log under the Monitoring section.
    Filter the Activity Logs:

    Time Range: Set the time range to cover the period when the unification might have occurred.
    Subscription: Ensure the correct subscription is selected.
    Event Categories: Choose Administrative.
    Resource Type: Select Microsoft.SecurityInsights/Workspaces or Microsoft.OperationalInsights/Workspaces.
    Operation Name: Look for operations like "Create or Update Microsoft Sentinel" or "Microsoft.SecurityInsights/onboardToSentinel/Action".
    Identify the Action:

    Look for entries that indicate the activation or unification of Sentinel and Defender XDR.
    Caller: The Initiated By or Caller field will display who performed the action.
    Timestamp: The Event Timestamp shows when the action occurred.


    Alternatively you can use Microsoft 365 Defender Advanced Hunting

     

    1-Access Microsoft 365 Defender > Threat & Vulnerability Management > Advanced Hunting

    2-Run KQL Query

    // Query Audit Logs for Defender XDR and Sentinel Integration
    AuditLogs
    | where TimeGenerated >= ago(90d) // Adjust as needed
    | where OperationName == "Integration with Microsoft Sentinel enabled"
    or OperationName == "Integration with Microsoft Sentinel updated"
    | project TimeGenerated, OperationName, InitiatedBy, ResultStatus
    | order by TimeGenerated desc

    I hope this helps you

  • am1357's avatar
    am1357
    Brass Contributor

    Rosine_LEROY 

     

    Seems like the above reply is not entirely correct.

    When activating unified SOC the "Microsoft Sentinel Contributor" role is assigned to the following two enterprise applications (= service principals): Microsoft Threat Protection, WindowsDefenderATP.

     

    You can use the Activitity Log in Azure Monitor to check for this change.

    • Search for Monitor in the search bar at portal.azure.com
    • Activity Log
    • Event category: Administrative
    • Operation: Create role assignment
    • Look for role assignments that include the role "Microsoft Sentinel Contributor" and the Message "Shared with WindowsDefenderATP" or "Shared with Microsoft Threat Protection"

     

     

     

    The following KQL query (use Log Analytics or Sentinel) will return assignments to the Sentinel Contributor role. Ther PrincipalIds are the Enterprise Applications mentioned above. You can search for the Id at https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview to see if these principal Ids belong to Microsoft Threat Protection and WindowsDefenderATP service principals.

     

    AzureActivity
    | where CategoryValue =~ "Administrative" and
    OperationNameValue =~ "Microsoft.Authorization/roleAssignments/write" and
    (ActivityStatusValue =~ "Start" or ActivityStatus =~ "Started")
    | extend Properties_d = todynamic(Properties)
    | extend RoleDefinition = extractjson("$.properties.roleDefinitionId",tostring(Properties_d.requestbody),typeof(string))
    | extend PrincipalId = extractjson("$.properties.principalId",tostring(Properties_d.requestbody),typeof(string))
    | extend PrincipalType = extractjson("$.properties.principalType",tostring(Properties_d.requestbody),typeof(string))
    | extend Scope = extractjson("$.properties.scope",tostring(Properties_d.requestbody),typeof(string))
    | where Scope !contains "resourcegroups"
    | extend RoleId = split(RoleDefinition,'/')[-1]
    | extend RoleDisplayName = case(
    RoleId =~ 'ab8e14d6-4a74-4a29-9ba8-549422addade', "Sentinel Contributor",
    "Irrelevant")
    | where RoleDisplayName != "Irrelevant"
    | project TimeGenerated, Scope, PrincipalId, PrincipalType, RoleDisplayName

    • Rosine_LEROY's avatar
      Rosine_LEROY
      Copper Contributor
      Thank you for all your answers. I found the logs I was looking for thanks to the query : OperationNameValue =~ "Microsoft.Authorization/roleAssignments/write"

Resources