Forum Discussion
Generate alert when changes made to the RBAC of Compliance Center
I'm trying to generate an Alert in Sentinel when someone adds or removes users from the role groups in the Compliance Center (built in RBAC system). I am using the Office 365 activity connector but t...
Hey brlgen,
RBAC activities are captured under Audit Log table, you can use below queries for analytics rule.
User Added To RBAC Group
AuditLogs
| where OperationName == "Add member to group"
| where Category == "GroupManagement"
| extend InitiatedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| where isnotempty(InitiatedByUser)
| extend GroupName = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))
| extend TargetedUser = tostring(TargetResources[0].userPrincipalName)
| where AADOperationType == "Assign"
| where Result == "success"
| project InitiatedByUser, TargetedUser, GroupName, OperationName, Result, AADOperationType
User Removed From RBAC Group
AuditLogs
| where OperationName == "Remove member from group"
| where Category == "GroupManagement"
| extend InitiatedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| where isnotempty(InitiatedByUser)
| extend GroupName = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].oldValue)))
| extend TargetedUser = tostring(TargetResources[0].userPrincipalName)
| project InitiatedByUser, OperationName, TargetedUser, GroupName, Result, AADOperationType
If you want, I can help you to create a single analytics rule for both activity.
- Hi deshantshukla, the queries you shared are for Azure AD RBAC. I'm looking for monitoring the changes to the RBAC of "Compliance Center" which has its own RBAC system.