cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Azure AD detection User added to group vs User added to role

ceesmandjes
Copper Contributor

‎Feb 03 2021 03:53 AM - edited ‎Feb 03 2021 03:56 AM

‎Feb 03 2021 03:53 AM - edited ‎Feb 03 2021 03:56 AM

Azure AD detection User added to group vs User added to role

Hi,

 

I want to create two detection rules in Sentinel using Azure AD as source:

* User added to Group

* User added to Role

 

In Sentinel I see there is a template named "User added to Azure Active Directory Privileged Groups" available. However,  this detection rules seems to trigger on ROLES not GROUPS:

AuditLogs

| where OperationName in~ (["Add member to role","Add member to role in PIM requested (permanent)"])

 

Since the name of this detection rule contains Group, I am quite surprised that it looks at the operations that are related to roles. Why is that?

 

In the logs I can also see that there is also a Operation available for groups:

AuditLogs

| where OperationName in~ (["Add member to group"])

 

Why is the group operation not used for the group template? And with which Operation can I create a detection rule for groups, and with which operation can I create a detection rule for roles?

7,073 Views
0 Likes
3 Replies
Reply
3 Replies
AnuragSrivastava

‎Feb 03 2021 05:53 AM

‎Feb 03 2021 05:53 AM

Re: Azure AD detection User added to group vs User added to role

@ceesmandjes If you look at the rule logic, you'll see that there are 2 conditions used. One for the Operation and the other for the Group Addition. So the rule in Sentinel is using a combination of these two conditions:

where OperationName in~ (OperationList)

where GroupName in~ (PrivilegedGroups)

 

The values in OperationList and PrivilegedGroups have also been defined.

 

 

 

0 Likes
Reply
ceesmandjes

‎Feb 08 2021 05:36 AM

‎Feb 08 2021 05:36 AM

Re: Azure AD detection User added to group vs User added to role

@AnuragSrivastava  do you know how I make a distinction between groups and roles?

0 Likes
Reply
printscreen

‎Feb 16 2021 04:56 AM

‎Feb 16 2021 04:56 AM

Re: Azure AD detection User added to group vs User added to role

@ceesmandjes if you wish to list out the for roles & groups, then the appropriate operation names are 'Add member to role', 'Add member to group'.

 

You can tweak the template rule which is mentioned above by adding these to the list, something like below (Note that, below is just a few first lines from default template rule as an example)

 

let timeframe = 1h;
let OperationList = dynamic(["Add member to role",  "Add member to role", "Add member to group" ,"Add member to role in PIM requested (permanent)"]);
let PrivilegedGroups = dynamic(["UserAccountAdmins","PrivilegedRoleAdmins","TenantAdmins"]);
AuditLogs
| where TimeGenerated >= ago(timeframe)
| where LoggedByService =~ "Core Directory"

0 Likes
Reply