Forum Discussion

Larssen92's avatar
Larssen92
Brass Contributor
Dec 21, 2021
Solved

Dynamics365 - Check user's group membership

Hi all,

I have a customer who wants an analytics rule to trigger if a CRUD operation is done by a user who is NOT part of the groups x, y and z.

Can this be done through KQL query, or would the solution be to create a logic app that triggers on every CRUD operation?

  • Larssen92 

     

    If you use Microsoft Sentinel UEBA - https://docs.microsoft.com/en-us/azure/sentinel/identify-threats-with-entity-behavior-analytics you have access to the IdentityInfo table which you can use to leverage group membership, then do a rightanti join to your D365 tables.

     

    Something like this - 

     

    IdentityInfo
    | where TimeGenerated > ago(21d)
    | summarize arg_max(TimeGenerated, *) by AccountUPN
    | mv-expand GroupMembership
    | where GroupMembership has_any ("Group x", "Group y", "Group z")
    | project AccountUPN
    | join kind=rightanti

    (
    Dynamics365

    | where your query here

    | project UserId

    ) on $left.AccountUPN==$right.UserId

     

    Rightanti will return results from only the right table (your dynamics query) who aren't in the left table (members of your groups).

     

     

2 Replies

  • m_zorich's avatar
    m_zorich
    Iron Contributor

    Larssen92 

     

    If you use Microsoft Sentinel UEBA - https://docs.microsoft.com/en-us/azure/sentinel/identify-threats-with-entity-behavior-analytics you have access to the IdentityInfo table which you can use to leverage group membership, then do a rightanti join to your D365 tables.

     

    Something like this - 

     

    IdentityInfo
    | where TimeGenerated > ago(21d)
    | summarize arg_max(TimeGenerated, *) by AccountUPN
    | mv-expand GroupMembership
    | where GroupMembership has_any ("Group x", "Group y", "Group z")
    | project AccountUPN
    | join kind=rightanti

    (
    Dynamics365

    | where your query here

    | project UserId

    ) on $left.AccountUPN==$right.UserId

     

    Rightanti will return results from only the right table (your dynamics query) who aren't in the left table (members of your groups).

     

     

    • Larssen92's avatar
      Larssen92
      Brass Contributor
      Thanks, that was exactly what I was looking for!

Resources