Forum Discussion

brlgen's avatar
brlgen
Brass Contributor
Sep 23, 2021

Generate alert when changes made to the RBAC of Compliance Center

I'm trying to generate an Alert in Sentinel when someone adds or removes users from the role groups in the Compliance Center (built in RBAC system). I am using the Office 365 activity connector but there seems to be no corresponding events generated when these memberships are changed. 

 

If I look in the audit looks of the Compliance Center here too the descriptions of these actions seem quite vague.

 

Does anyone know a better way to monitor these RBAC role groups for the Compliance center in Sentinel?

  • deshantshukla's avatar
    deshantshukla
    Copper Contributor
    Sep 23, 2021

    Hey brlgen

     

    RBAC activities are captured under Audit Log table, you can use below queries for analytics rule. 

     

    User Added To RBAC Group

    AuditLogs
| where OperationName == "Add member to group"
| where Category == "GroupManagement"
| extend InitiatedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| where isnotempty(InitiatedByUser)
| extend GroupName = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))
| extend TargetedUser = tostring(TargetResources[0].userPrincipalName)
| where AADOperationType == "Assign"
| where Result == "success"
| project InitiatedByUser,  TargetedUser, GroupName, OperationName, Result, AADOperationType

     

     User Removed From RBAC Group

    AuditLogs
| where OperationName == "Remove member from group"
| where Category == "GroupManagement"
| extend InitiatedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| where isnotempty(InitiatedByUser)
| extend GroupName = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].oldValue)))
| extend TargetedUser = tostring(TargetResources[0].userPrincipalName)
| project InitiatedByUser,  OperationName, TargetedUser, GroupName,  Result, AADOperationType

     

    If you want, I can help you to create a single analytics rule for both activity.

    • brlgen's avatar
      brlgen
      Brass Contributor
      Sep 23, 2021
      Hi deshantshukla, the queries you shared are for Azure AD RBAC. I'm looking for monitoring the changes to the RBAC of "Compliance Center" which has its own RBAC system.

Resources