Forum Discussion

Rosine_LEROY's avatar
Rosine_LEROY
Copper Contributor
Oct 23, 2024

Find who activated and unified Microsoft Sentinel to Microsoft Defender XDR and when ?

Hello Everyone,   I'm trying to find an information regarding a configuration's change on Defender XDR. I've looked everywhere to find out who activates and unifies Microsoft Sentinel with Micr...
am1357's avatar
am1357
Brass Contributor
Oct 25, 2024

Rosine_LEROY 

 

Seems like the above reply is not entirely correct.

When activating unified SOC the "Microsoft Sentinel Contributor" role is assigned to the following two enterprise applications (= service principals): Microsoft Threat Protection, WindowsDefenderATP.

 

You can use the Activitity Log in Azure Monitor to check for this change.

  • Search for Monitor in the search bar at portal.azure.com
  • Activity Log
  • Event category: Administrative
  • Operation: Create role assignment
  • Look for role assignments that include the role "Microsoft Sentinel Contributor" and the Message "Shared with WindowsDefenderATP" or "Shared with Microsoft Threat Protection"

 

 

 

The following KQL query (use Log Analytics or Sentinel) will return assignments to the Sentinel Contributor role. Ther PrincipalIds are the Enterprise Applications mentioned above. You can search for the Id at https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview to see if these principal Ids belong to Microsoft Threat Protection and WindowsDefenderATP service principals.

 

AzureActivity
| where CategoryValue =~ "Administrative" and
OperationNameValue =~ "Microsoft.Authorization/roleAssignments/write" and
(ActivityStatusValue =~ "Start" or ActivityStatus =~ "Started")
| extend Properties_d = todynamic(Properties)
| extend RoleDefinition = extractjson("$.properties.roleDefinitionId",tostring(Properties_d.requestbody),typeof(string))
| extend PrincipalId = extractjson("$.properties.principalId",tostring(Properties_d.requestbody),typeof(string))
| extend PrincipalType = extractjson("$.properties.principalType",tostring(Properties_d.requestbody),typeof(string))
| extend Scope = extractjson("$.properties.scope",tostring(Properties_d.requestbody),typeof(string))
| where Scope !contains "resourcegroups"
| extend RoleId = split(RoleDefinition,'/')[-1]
| extend RoleDisplayName = case(
RoleId =~ 'ab8e14d6-4a74-4a29-9ba8-549422addade', "Sentinel Contributor",
"Irrelevant")
| where RoleDisplayName != "Irrelevant"
| project TimeGenerated, Scope, PrincipalId, PrincipalType, RoleDisplayName

  • Rosine_LEROY's avatar
    Rosine_LEROY
    Copper Contributor
    Oct 28, 2024
    Thank you for all your answers. I found the logs I was looking for thanks to the query : OperationNameValue =~ "Microsoft.Authorization/roleAssignments/write"

Resources