Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
What's new: IdentityInfo table is now in public preview!
Published Jul 27 2021 04:26 AM 14.4K Views
Microsoft

Hey everyone!

 

Having the right information during an investigation is crucial to differentiating between FP and TP, and to starting the ‘Scope of Breach’ process on time, since every second counts.

 

The attack surface used by hackers is often the company’s user and service accounts, so the information about those accounts – who is the user behind them, what are their privileges, and additional data – is important for the analyst to have while investigating those entities.

 

Furthermore, embedding entity information in your analytics rules will result in ‘tailor-made’ analytics for your organization that fit your use cases and scenarios and can reduce FP.

 

How Do I Start?

 

If you haven’t enabled UEBA – we encourage you to do so! It’s so simple.

 

Part of the process of enabling UEBA is providing consent for Sentinel UEBA to synchronize you Azure Active Directory. This allows us to create profiles for user accounts in the organization.

 

 

If already have UEBA enabled, you will notice that a new table called ‘IdentityInfo’ is now available under ‘Azure Sentinel UEBA’ group in LA.

 

 

Spoiler

The Identity info table contains a snapshot of the user’s profile: metadata information, groups membership, Azure AD roles assigned and UEBA enrichments.

 

 

IdentityInfo table in the Logs bladeIdentityInfo table in the Logs blade

 

 Important information:

  • Once UEBA is enabled, we will sync all your AAD users into the ‘IdentityInfo’ table
  • Default retention time for the table is 30 days
  • After the initial sync, any changes to made in AAD to your users will be saved in LA in up to 15 minutes.
  • Groups & Roles are updated on a daily basis
  • Every 21 days we will resync your entire AAD directory, to make sure stale records are updated.
  • Note:
    • Deleted groups (user was removed from a group) is not supported yet. It will still be listed in the user’s groups membership.
    • We only support Azure Active Directory built-in roles for the assigned roles attribute.
    • The initial sync might take a few days (depending of the size of the tenant).

 

What information can I find there?

 

The IdentityInfo table contains the following information taken from your Azure Active Directory:

 

Column

Type

Description

AccountCloudSID

string

The Azure AD security identifier of the account

AccountCreationTime

datetime

The date the user account was created (UTC)

AccountDisplayName

string

The user account display name

AccountDomain

string

Domain name of the user account

AccountName

string

User name of the account

AccountObjectId

string

The Azure Active Directory object ID for the account

AccountSID

string

The on premises security identifier of the account

AccountTenantId

string

The Azure Active Directory Tenant ID of the account

AccountUPN

string

User principal name of the account

AdditionalMailAddresses

dynamic

Additional email addresses of the user

AssignedRoles

dynamic

AAD roles the user account is assigned to

City

string

The city of the user account as defined in AAD

Country

string

The country of the user account as defined in AAD

DeletedDateTime

datetime

The date and time the user was deleted

Department

string

The user account department as defined in AAD

GivenName

string

The user account given name

GroupMembership

dynamic

Azure AD Groups the user account is a member

IsAccountEnabled

bool

Indication if the account is enabled in AAD or not

JobTitle

string

The user account job title as defined in AAD

MailAddress

string

The user account primary email address

Manager

string

The user accounts manager alias

OnPremisesDistinguishedName

string

Active Directory distinguished name (DN). A DN is a sequence of relative distinguished names (RDN) connected by commas.

Phone

string

The phone number of the user account as defined in AAD

SourceSystem

string

 

State

string

The geographical state of the user account as defined in AAD

StreetAddress

string

The office street address of the user account as defined in AAD

Surname

string

The user account surname

TenantId

string

 

TimeGenerated

datetime

Time when the event was generated (UTC)

Type

string

The name of the table

UserType

string

The user type as appears in Azure AD

 

What’s in it for me?

 

Having user information surfaced in Log Analytics allows you (as a SecOps / Threat Hunter) to address various lines of investigation, for example:

 

Which users are members of my "Executive" AAD security group?

 

IdentityInfo
| summarize arg_max(TimeGenerated, *) by AccountObjectId
| where GroupMembership contains "Executive"

 

 

Who are all my guest accounts in the tenant?

 

IdentityInfo
| summarize arg_max(TimeGenerated, *) by AccountObjectId
| where UserType == "Guest"

 

 

Which of my users are only AAD users (i.e. not synced from my on prem AD)?

 

IdentityInfo
| summarize arg_max(TimeGenerated, *) by AccountObjectId
| where isempty(OnPremisesDistinguishedName)

 

 

Which users have assigned "privileged" Azure Active Directory roles?

 

let PrivielgedRoles = dynamic(["Global Administrator","Security Administrator"]);
IdentityInfo
| summarize arg_max(TimeGenerated, *) by AccountObjectId
| mv-expand AssignedRoles
| where AssignedRoles  in~ (PrivielgedRoles)
| summarize AssignedRoles=make_set(AssignedRoles) by AccountObjectId, AccountSID, AccountUPN, AccountDisplayName, JobTitle, Department

 

 

SecOps analysts can use this information to create their custom analytics rules:

 

I want to be alerted if a specific server is accessed by anyone outside of the ‘Finance Department’.

 

let LoginEvent = dynamic(["4624","4768","4776"]);
SecurityEvent
| where EventID in (LoginEvent)
| where Computer == "Financesrv.contoso.com"
| join kind=innerunique (
    IdentityInfo
    | summarize arg_max(TimeGenerated, *) by AccountObjectId
    ) on $left.TargetUserSid == $right.AccountSID 
| where Department != "Finance"

 

 

 

Taking the above example you can extend it even further - if the user is a member of a specific group, don’t trigger alert.

 

In addition when using automation to create a ticket in the ticketing system, pull information about the user from the ‘IdentityInfo’ table .

 

You can read more about the IdentityInfo table and how to use it in our docs.

 

What’s next?

 

Our goal is to expose to you, the Sentinel user, the we have of the users in your organization. We’re going to constantly add more bits of information we learn about users (example below). In addition, we want to expand the entity profiles we have and surface those in Log Analytics as well (such as DeviceInfo, AppInfo, SecurityGroupInfo, IPaddressInfo…)

 

IdentityInfo table features to come:

  • Applications
  • Blast Radius
  • EmployeeId
  • Extension property from AAD
  • Investigation priority – risk score
  • Is MFA registered
  • Last seen date
  • On-prem extension property
  • AAD IP risk level and state
  • Related service principals
  • Tags
  • UACFlags
  • UserState
  • UserStateChangedOn

 

We Value Your Opinion!

Our goal is to make your life easier while you investigate security incidents. If you have any feedback – about the experience, the usage – or anything else,

Please let us know! We aim to improve :cool:

 

 

2 Comments
Version history
Last update:
‎Nov 03 2021 03:57 AM
Updated by: