Azure AD detection User added to group vs User added to role

Hi, I want to create two detection rules in Sentinel using Azure AD as source: * User added to Group * User added to Role In Sentinel I see there is a template named "User added to Azure Ac...

ceesmandjes

Copper Contributor

Feb 08, 2021

AnuragSrivastava do you know how I make a distinction between groups and roles?

printscreen

Brass Contributor

Feb 16, 2021

ceesmandjes if you wish to list out the for roles & groups, then the appropriate operation names are 'Add member to role', 'Add member to group'.

You can tweak the template rule which is mentioned above by adding these to the list, something like below (Note that, below is just a few first lines from default template rule as an example)

let timeframe = 1h;
let OperationList = dynamic(["Add member to role", "Add member to role", "Add member to group" ,"Add member to role in PIM requested (permanent)"]);
let PrivilegedGroups = dynamic(["UserAccountAdmins","PrivilegedRoleAdmins","TenantAdmins"]);
AuditLogs
| where TimeGenerated >= ago(timeframe)
| where LoggedByService =~ "Core Directory"

Forum Discussion

Azure AD detection User added to group vs User added to role

Resources