Azure AD detection User added to group vs User added to role

%3CLINGO-SUB%20id%3D%22lingo-sub-2112516%22%20slang%3D%22en-US%22%3EAzure%20AD%20detection%20User%20added%20to%20group%20vs%20User%20added%20to%20role%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2112516%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20want%20to%20create%20two%20detection%20rules%20in%20Sentinel%20using%20Azure%20AD%20as%20source%3A%3C%2FP%3E%3CP%3E*%20User%20added%20to%20Group%3C%2FP%3E%3CP%3E*%20User%20added%20to%20Role%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20Sentinel%20I%20see%20there%20is%20a%20template%20named%20%22%3CSPAN%20class%3D%22ext-dataGrid-cell-text%22%3EUser%20added%20to%20Azure%20Active%20Directory%20Privileged%20Groups%3C%2FSPAN%3E%22%20available.%20However%2C%26nbsp%3B%20this%20detection%20rules%20seems%20to%20trigger%20on%20ROLES%20not%20GROUPS%3A%3C%2FP%3E%3CP%3EAuditLogs%3C%2FP%3E%3CP%3E%7C%20where%20OperationName%20in~%20(%3CSPAN%3E%5B%3C%2FSPAN%3E%3CSPAN%3E%22Add%26nbsp%3Bmember%26nbsp%3Bto%26nbsp%3Brole%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%22Add%26nbsp%3Bmember%26nbsp%3Bto%26nbsp%3Brole%26nbsp%3Bin%26nbsp%3BPIM%26nbsp%3Brequested%26nbsp%3B(permanent)%22%3C%2FSPAN%3E%3CSPAN%3E%5D%3C%2FSPAN%3E)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESince%20the%20name%20of%20this%20detection%20rule%20contains%20Group%2C%20I%20am%20quite%20surprised%20that%20it%20looks%20at%20the%20operations%20that%20are%20related%20to%20roles.%20Why%20is%20that%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20the%20logs%20I%20can%20also%20see%20that%20there%20is%20also%20a%20Operation%20available%20for%20groups%3A%3C%2FP%3E%3CP%3EAuditLogs%3C%2FP%3E%3CP%3E%7C%20where%20OperationName%20in~%20(%3CSPAN%3E%5B%3C%2FSPAN%3E%3CSPAN%3E%22Add%20member%20to%20group%3C%2FSPAN%3E%3CSPAN%3E%22%3C%2FSPAN%3E%3CSPAN%3E%5D%3C%2FSPAN%3E)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhy%20is%20the%20group%20operation%20not%20used%20for%20the%20group%20template%3F%20And%20with%20which%20Operation%20can%20I%20create%20a%20detection%20rule%20for%20groups%2C%20and%20with%20which%20operation%20can%20I%20create%20a%20detection%20rule%20for%20roles%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2117690%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20detection%20User%20added%20to%20group%20vs%20User%20added%20to%20role%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2117690%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F879527%22%20target%3D%22_blank%22%3E%40AnuragSrivastava%3C%2FA%3E%26nbsp%3B%20do%20you%20know%20how%20I%20make%20a%20distinction%20between%20groups%20and%20roles%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2112622%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20detection%20User%20added%20to%20group%20vs%20User%20added%20to%20role%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2112622%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F897417%22%20target%3D%22_blank%22%3E%40ceesmandjes%3C%2FA%3E%26nbsp%3BIf%20you%20look%20at%20the%20rule%20logic%2C%20you'll%20see%20that%20there%20are%202%20conditions%20used.%20One%20for%20the%20Operation%20and%20the%20other%20for%20the%20Group%20Addition.%20So%20the%20rule%20in%20Sentinel%20is%20using%20a%20combination%20of%20these%20two%20conditions%3A%3C%2FP%3E%3CP%3Ewhere%20OperationName%20in~%20(OperationList)%3C%2FP%3E%3CP%3Ewhere%20GroupName%20in~%20(PrivilegedGroups)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20values%20in%20OperationList%20and%20PrivilegedGroups%20have%20also%20been%20defined.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2139078%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20detection%20User%20added%20to%20group%20vs%20User%20added%20to%20role%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2139078%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F897417%22%20target%3D%22_blank%22%3E%40ceesmandjes%3C%2FA%3E%26nbsp%3Bif%20you%20wish%20to%20list%20out%20the%20for%20roles%20%26amp%3B%20groups%2C%20then%20the%20appropriate%20operation%20names%20are%20'Add%20member%20to%20role'%2C%20'Add%20member%20to%20group'.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20tweak%20the%20template%20rule%20which%20is%20mentioned%20above%20by%20adding%20these%20to%20the%20list%2C%20something%20like%20below%20(Note%20that%2C%20below%20is%20just%20a%20few%20first%20lines%20from%20default%20template%20rule%20as%20an%20example)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Elet%20timeframe%20%3D%201h%3B%3CBR%20%2F%3Elet%20OperationList%20%3D%20dynamic(%5B%22Add%20member%20to%20role%22%2C%26nbsp%3B%20%3CSTRONG%3E%22Add%20member%20to%20role%22%2C%20%22Add%20member%20to%20group%22%3C%2FSTRONG%3E%20%2C%22Add%20member%20to%20role%20in%20PIM%20requested%20(permanent)%22%5D)%3B%3CBR%20%2F%3Elet%20PrivilegedGroups%20%3D%20dynamic(%5B%22UserAccountAdmins%22%2C%22PrivilegedRoleAdmins%22%2C%22TenantAdmins%22%5D)%3B%3CBR%20%2F%3EAuditLogs%3CBR%20%2F%3E%7C%20where%20TimeGenerated%20%26gt%3B%3D%20ago(timeframe)%3CBR%20%2F%3E%7C%20where%20LoggedByService%20%3D~%20%22Core%20Directory%22%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi,

 

I want to create two detection rules in Sentinel using Azure AD as source:

* User added to Group

* User added to Role

 

In Sentinel I see there is a template named "User added to Azure Active Directory Privileged Groups" available. However,  this detection rules seems to trigger on ROLES not GROUPS:

AuditLogs

| where OperationName in~ (["Add member to role","Add member to role in PIM requested (permanent)"])

 

Since the name of this detection rule contains Group, I am quite surprised that it looks at the operations that are related to roles. Why is that?

 

In the logs I can also see that there is also a Operation available for groups:

AuditLogs

| where OperationName in~ (["Add member to group"])

 

Why is the group operation not used for the group template? And with which Operation can I create a detection rule for groups, and with which operation can I create a detection rule for roles?

3 Replies

@ceesmandjes If you look at the rule logic, you'll see that there are 2 conditions used. One for the Operation and the other for the Group Addition. So the rule in Sentinel is using a combination of these two conditions:

where OperationName in~ (OperationList)

where GroupName in~ (PrivilegedGroups)

 

The values in OperationList and PrivilegedGroups have also been defined.

 

 

 

@AnuragSrivastava  do you know how I make a distinction between groups and roles?

@ceesmandjes if you wish to list out the for roles & groups, then the appropriate operation names are 'Add member to role', 'Add member to group'.

 

You can tweak the template rule which is mentioned above by adding these to the list, something like below (Note that, below is just a few first lines from default template rule as an example)

 

let timeframe = 1h;
let OperationList = dynamic(["Add member to role",  "Add member to role", "Add member to group" ,"Add member to role in PIM requested (permanent)"]);
let PrivilegedGroups = dynamic(["UserAccountAdmins","PrivilegedRoleAdmins","TenantAdmins"]);
AuditLogs
| where TimeGenerated >= ago(timeframe)
| where LoggedByService =~ "Core Directory"