Generate alert when changes made to the RBAC of Compliance Center

%3CLINGO-SUB%20id%3D%22lingo-sub-2778255%22%20slang%3D%22en-US%22%3EGenerate%20alert%20when%20changes%20made%20to%20the%20RBAC%20of%20Compliance%20Center%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2778255%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20trying%20to%20generate%20an%20Alert%20in%20Sentinel%20when%20someone%20adds%20or%20removes%20users%20from%20the%20role%20groups%20in%20the%20Compliance%20Center%20(built%20in%20RBAC%20system).%20I%20am%20using%20the%20Office%20365%20activity%20connector%20but%20there%20seems%20to%20be%20no%20corresponding%20events%20generated%20when%20these%20memberships%20are%20changed.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20look%20in%20the%20audit%20looks%20of%20the%20Compliance%20Center%20here%20too%20the%20descriptions%20of%20these%20actions%20seem%20quite%20vague.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20know%20a%20better%20way%20to%20monitor%20these%20RBAC%20role%20groups%20for%20the%20Compliance%20center%20in%20Sentinel%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2778820%22%20slang%3D%22en-US%22%3ERe%3A%20Generate%20alert%20when%20changes%20made%20to%20the%20RBAC%20of%20Compliance%20Center%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2778820%22%20slang%3D%22en-US%22%3E%3CP%3EHey%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F898797%22%20target%3D%22_blank%22%3E%40brlgen%3C%2FA%3E%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERBAC%20activities%20are%20captured%20under%20%3CEM%3EAudit%20Log%3C%2FEM%3E%20table%2C%20you%20can%20use%20below%20queries%20for%20analytics%20rule.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EUser%20Added%20To%20RBAC%20Group%3C%2FSTRONG%3E%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3EAuditLogs%0A%7C%20where%20OperationName%20%3D%3D%20%22Add%20member%20to%20group%22%0A%7C%20where%20Category%20%3D%3D%20%22GroupManagement%22%0A%7C%20extend%20InitiatedByUser%20%3D%20tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)%0A%7C%20where%20isnotempty(InitiatedByUser)%0A%7C%20extend%20GroupName%20%3D%20tostring(parse_json(tostring(parse_json(tostring(TargetResources%5B0%5D.modifiedProperties))%5B1%5D.newValue)))%0A%7C%20extend%20TargetedUser%20%3D%20tostring(TargetResources%5B0%5D.userPrincipalName)%0A%7C%20where%20AADOperationType%20%3D%3D%20%22Assign%22%0A%7C%20where%20Result%20%3D%3D%20%22success%22%0A%7C%20project%20InitiatedByUser%2C%20%20TargetedUser%2C%20GroupName%2C%20OperationName%2C%20Result%2C%20AADOperationType%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3CSTRONG%3EUser%20Removed%20From%20RBAC%20Group%3C%2FSTRONG%3E%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3EAuditLogs%0A%7C%20where%20OperationName%20%3D%3D%20%22Remove%20member%20from%20group%22%0A%7C%20where%20Category%20%3D%3D%20%22GroupManagement%22%0A%7C%20extend%20InitiatedByUser%20%3D%20tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)%0A%7C%20where%20isnotempty(InitiatedByUser)%0A%7C%20extend%20GroupName%20%3D%20tostring(parse_json(tostring(parse_json(tostring(TargetResources%5B0%5D.modifiedProperties))%5B1%5D.oldValue)))%0A%7C%20extend%20TargetedUser%20%3D%20tostring(TargetResources%5B0%5D.userPrincipalName)%0A%7C%20project%20InitiatedByUser%2C%20%20OperationName%2C%20TargetedUser%2C%20GroupName%2C%20%20Result%2C%20AADOperationType%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20want%2C%20I%20can%20help%20you%20to%20create%20a%20single%20analytics%20rule%20for%20both%20activity.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2779064%22%20slang%3D%22en-US%22%3ERe%3A%20Generate%20alert%20when%20changes%20made%20to%20the%20RBAC%20of%20Compliance%20Center%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2779064%22%20slang%3D%22en-US%22%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F407706%22%20target%3D%22_blank%22%3E%40deshantshukla%3C%2FA%3E%2C%20the%20queries%20you%20shared%20are%20for%20Azure%20AD%20RBAC.%20I'm%20looking%20for%20monitoring%20the%20changes%20to%20the%20RBAC%20of%20%22Compliance%20Center%22%20which%20has%20its%20own%20RBAC%20system.%3C%2FLINGO-BODY%3E
Occasional Contributor

I'm trying to generate an Alert in Sentinel when someone adds or removes users from the role groups in the Compliance Center (built in RBAC system). I am using the Office 365 activity connector but there seems to be no corresponding events generated when these memberships are changed. 

 

If I look in the audit looks of the Compliance Center here too the descriptions of these actions seem quite vague.

 

Does anyone know a better way to monitor these RBAC role groups for the Compliance center in Sentinel?

2 Replies

Hey @brlgen

 

RBAC activities are captured under Audit Log table, you can use below queries for analytics rule. 

 

User Added To RBAC Group

AuditLogs
| where OperationName == "Add member to group"
| where Category == "GroupManagement"
| extend InitiatedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| where isnotempty(InitiatedByUser)
| extend GroupName = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))
| extend TargetedUser = tostring(TargetResources[0].userPrincipalName)
| where AADOperationType == "Assign"
| where Result == "success"
| project InitiatedByUser,  TargetedUser, GroupName, OperationName, Result, AADOperationType

 

 User Removed From RBAC Group

AuditLogs
| where OperationName == "Remove member from group"
| where Category == "GroupManagement"
| extend InitiatedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| where isnotempty(InitiatedByUser)
| extend GroupName = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].oldValue)))
| extend TargetedUser = tostring(TargetResources[0].userPrincipalName)
| project InitiatedByUser,  OperationName, TargetedUser, GroupName,  Result, AADOperationType

 

If you want, I can help you to create a single analytics rule for both activity.

Hi @deshantshukla, the queries you shared are for Azure AD RBAC. I'm looking for monitoring the changes to the RBAC of "Compliance Center" which has its own RBAC system.