Forum Discussion

ceesmandjes's avatar
ceesmandjes
Copper Contributor
Feb 03, 2021

Azure AD detection User added to group vs User added to role

Hi,   I want to create two detection rules in Sentinel using Azure AD as source: * User added to Group * User added to Role   In Sentinel I see there is a template named "User added to Azure Ac...
AnuragSrivastava's avatar
AnuragSrivastava
Iron Contributor
Feb 03, 2021

ceesmandjes If you look at the rule logic, you'll see that there are 2 conditions used. One for the Operation and the other for the Group Addition. So the rule in Sentinel is using a combination of these two conditions:

where OperationName in~ (OperationList)

where GroupName in~ (PrivilegedGroups)

 

The values in OperationList and PrivilegedGroups have also been defined.

 

 

 

ceesmandjes's avatar
ceesmandjes
Copper Contributor
Feb 08, 2021

AnuragSrivastava  do you know how I make a distinction between groups and roles?

  • printscreen's avatar
    printscreen
    Brass Contributor
    Feb 16, 2021

    ceesmandjes if you wish to list out the for roles & groups, then the appropriate operation names are 'Add member to role', 'Add member to group'.

     

    You can tweak the template rule which is mentioned above by adding these to the list, something like below (Note that, below is just a few first lines from default template rule as an example)

     

    let timeframe = 1h;
    let OperationList = dynamic(["Add member to role",  "Add member to role", "Add member to group" ,"Add member to role in PIM requested (permanent)"]);
    let PrivilegedGroups = dynamic(["UserAccountAdmins","PrivilegedRoleAdmins","TenantAdmins"]);
    AuditLogs
    | where TimeGenerated >= ago(timeframe)
    | where LoggedByService =~ "Core Directory"

Resources