Forum Discussion
TS-noodlemctwoodle
Oct 13, 2020Brass Contributor
Grouping Azure Sentinel - Azure Active Directory Identity Protection alerts
Is there a way to group Azure Active Directory Identity Protection alerts such as "Unfamiliar sign-in properties" in Azure Sentinel? We are seeing hundreds of these alerts being raised on a dail...
TS-noodlemctwoodle
Oct 13, 2020Brass Contributor
I have created a custom Scheduled rule and used this KQL to capture the same information that Identity Protection captures in the event.
SecurityAlert
| summarize arg_max(TimeGenerated, *) by SystemAlertId
| where DisplayName has "Unfamiliar sign-in properties"
| where AlertSeverity has "Low"
| project SystemAlertId, Entities, ExtendedProperties
| extend Entities = iff(isempty(Entities), todynamic('[{"dummy" : ""}]'), todynamic(Entities))
| extend ExtendedProperties = iff(isempty(ExtendedProperties), todynamic('[{"dummy" : ""}]'), todynamic(ExtendedProperties))
| mvexpand Entities, ExtendedProperties
| evaluate bag_unpack(Entities)
| evaluate bag_unpack(ExtendedProperties)
| extend userName = columnifexists("User Account", "")
| extend ipAddress = columnifexists("Address", "")
I mapped the entities from the KQL in the rule
I grouped all alerts into a single incident
- TS-noodlemctwoodleOct 13, 2020Brass Contributor
My KQL definately requires some work to map the entities to each other. More R&D required 🙂
- Thijs LecomteOct 13, 2020Bronze ContributorWhat we do is we configure the default Security rule to exclude Unfamiliar sign-ins and then create a custom KQL query like you did.
Make sure you also configure Incident Grouping, which will group everything into one incident.
IMO, you shouldn't Alert Grouping here, as one IDP should be one alert within Sentinel- luizao_lfOct 16, 2020Copper Contributor
I found the solution interesting. But if you are going to get the IP logs, through which table will these logs be retrieved?