SOLVED

Dynamics365 - Check user's group membership

Hi all,

I have a customer who wants an analytics rule to trigger if a CRUD operation is done by a user who is NOT part of the groups x, y and z.

Can this be done through KQL query, or would the solution be to create a logic app that triggers on every CRUD operation?

2 Replies

If you use Microsoft Sentinel UEBA - https://docs.microsoft.com/en-us/azure/sentinel/identify-threats-with-entity-behavior-analytics you have access to the IdentityInfo table which you can use to leverage group membership, then do a rightanti join to your D365 tables.

Something like this -

IdentityInfo
| where TimeGenerated > ago(21d)
| summarize arg_max(TimeGenerated, *) by AccountUPN
| mv-expand GroupMembership
| where GroupMembership has_any ("Group x", "Group y", "Group z")
| project AccountUPN
| join kind=rightanti

(
Dynamics365

| where your query here

| project UserId

) on $left.AccountUPN==$right.UserId

Rightanti will return results from only the right table (your dynamics query) who aren't in the left table (members of your groups).

Thanks, that was exactly what I was looking for!

1 best response

Accepted Solutions

If you use Microsoft Sentinel UEBA - https://docs.microsoft.com/en-us/azure/sentinel/identify-threats-with-entity-behavior-analytics you have access to the IdentityInfo table which you can use to leverage group membership, then do a rightanti join to your D365 tables.

Something like this -

IdentityInfo
| where TimeGenerated > ago(21d)
| summarize arg_max(TimeGenerated, *) by AccountUPN
| mv-expand GroupMembership
| where GroupMembership has_any ("Group x", "Group y", "Group z")
| project AccountUPN
| join kind=rightanti

(
Dynamics365

| where your query here

| project UserId

) on $left.AccountUPN==$right.UserId

Rightanti will return results from only the right table (your dynamics query) who aren't in the left table (members of your groups).

View solution in original post