Azure Active Directory Identity Protection user account enrichments removed: how to mitigate impact
Published Dec 13 2022 05:01 AM 2,545 Views
Microsoft

As of September 30, 2022, alerts coming from the AADIP connector no longer contain the following fields:

 

  • CompromisedEntity
  • ExtendedProperties["User Account"]
  • ExtendedProperties["User Name”]

 

Below we’ll describe the impact to different areas and offer mitigation steps where possible.

All mitigations offered below utilizes the IdentityInfo table, that is available to customers of the UEBA solution. If you have not already, enable the UEBA solution to sync the IdentintyInfo table with your Azure AD logs. Follow the instructions in this document. (If you don't intend to use UEBA in general, you can ignore the last instruction about selecting data sources on which to enable entity behavior analytics.).

 

About the IdentityInfo table:
User data from your Azure Active Directory and/or on-premises Active Directory is synchronized into the table in Log Analytics for use in Microsoft Sentinel when UEBA solution is enabled for your Microsoft Sentinel workspace. While the initial synchronization might take a few days to complete, once the data is fully uploaded, changes made to your user profiles are updated within 15 minutes. Groups and role information is synchronized to the table daily. Every 14 days Microsoft Sentinel re-synchronizes your entire AD to ensure stale records are fully updated. To learn more about the table refer here.

 

Custom Queries, Scheduled analytics rules:

If you have previously built and used custom queries directly referencing the fields mentioned, you’ll need another way to get this information and adjust your queries to look up these values in the IdentityInfo table. You can copy and incorporate the query below in your existing queries to look up the data by joining the SecurityAlert table with the IdentityInfo table.

 

When setting a scheduled rule, you would want to enrich the data using the IdentityInfo table. Since there are differences in the timestamps between the tables, you’ll need to adjust the TimeGenerated field of the IdentityInfo table to be able to look back and scope all changes that might have occurred in the time elapsed since the IdentityInfo last update, however, since the lookback period of the query is 14 days the rule frequency cannot exceed 1 hour.   

 

SecurityAlert

| where TimeGenerated > ago(1d)

| where ProductName == "Azure Active Directory Identity Protection"

| mv-expand Entity = todynamic(Entities)

| where Entity.Type == "account"

| extend AadTenantId = tostring(Entity.AadTenantId)

| extend AadUserId = tostring(Entity.AadUserId)

| join kind=inner (

    IdentityInfo

    | where TimeGenerated > ago(14d)

    | distinct AccountTenantId, AccountObjectId, AccountUPN, AccountDisplayName

    | extend UserAccount = AccountUPN

    | extend UserName = AccountDisplayName

    | where isnotempty(AccountDisplayName) and isnotempty(UserAccount)

    | project AccountTenantId, AccountObjectId, UserAccount, UserName

    )

    on

    $left.AadTenantId == $right.AccountTenantId,

    $left.AadUserId == $right.AccountObjectId

| extend CompromisedEntity = iff(CompromisedEntity == "N/A" or isempty(CompromisedEntity), UserAccount, CompromisedEntity)

| project-away AadTenantId, AadUserId, AccountTenantId, AccountObjectId

 

 

Microsoft Sentinel built-in queries and rule templates:

Microsoft Sentinel built-in queries and templates have been updated. Please update the rules to resolve issues related to the missing fields.

 

UEBA UserPeerAnalytics table

The change above impacts UEBA in the UserPeerAnalytics table. User IDs resolving to name is no longer performed and thus the following fields will no longer be automatically populated:

  • UserName
  • UserPrincipalName
  • PeerUserName
  • PeerUserPrincipalName

The corresponding ID fields remain part of the table, and any built-in queries and other operations will execute the appropriate name lookups in other ways (using the IdentityInfo table), so you shouldn’t be affected by this change in nearly all circumstances.

If you have built any custom queries or rules directly referencing these name fields you would need to adjust your queries to look up these values in the IdentityInfo table. You can copy and incorporate the query below in your existing queries to look up the data by joining the UserPeerAnalytics table with the IdentityInfo table.

The following query resolves user and peer identifier fields:

UserPeerAnalytics

| where TimeGenerated > ago(24h)

// join to resolve user identifier fields

| join kind=inner (

    IdentityInfo 

    | where TimeGenerated > ago(14d)

    | distinct AccountTenantId, AccountObjectId, AccountUPN, AccountDisplayName

    | extend UserPrincipalNameIdentityInfo = AccountUPN

    | extend UserNameIdentityInfo = AccountDisplayName

    | project AccountTenantId, AccountObjectId, UserPrincipalNameIdentityInfo, UserNameIdentityInfo

) on $left.AADTenantId == $right.AccountTenantId, $left.UserId == $right.AccountObjectId

// join to resolve peer identifier fields

| join kind=inner (

    IdentityInfo 

    | where TimeGenerated > ago(14d)

    | distinct AccountTenantId, AccountObjectId, AccountUPN, AccountDisplayName

    | extend PeerUserPrincipalNameIdentityInfo = AccountUPN

    | extend PeerUserNameIdentityInfo = AccountDisplayName

    | project AccountTenantId, AccountObjectId, PeerUserPrincipalNameIdentityInfo, PeerUserNameIdentityInfo

) on $left.AADTenantId == $right.AccountTenantId, $left.PeerUserId == $right.AccountObjectId

If your original query referenced the user or peer names (not just their IDs), substitute this query in its entirety for the table name (“UserPeerAnalytics”) in your original query.

 

To summarize, 

In this post we have given you some self enrich sample queries to help you get back the information removed.  Feel free to leave your feedback in the comments below.

 

Version history
Last update:
‎Dec 13 2022 05:09 AM
Updated by: