Hello everyone, Im in the process of setting up a automatic watchlist update for sentinel. Where whenever a AAD User is added to a specific AAD group, the given users data will be put into a sentinel watchlist. (Like in picture 1)

pic1

The way I have set it up at the moment is that the alert rule triggers on whenever a user is added to the given AAD group it pulls the log file.

That's all well and good but the log file that is pulled, mainly inlcludes data regarding the AAD group and tenant ID of the entire AAD

I have tried out different mapping option inside sentinel to pull the right entity/account.

But I always get the same "Tenant ID" which I can't find anywhere in our AAD.

I have set up a logic app/playbook where it should recive the Account from the query but im not sure how to pull the account from the log file.

My main issue has been these AAD groups, they seem to mess with the logfile compared to when you only target the AAD account (or multiple accounts)

Has anyone worked with this before or done something similar. All help and tips are greatly appriciated!