Sep 23 2021 05:39 AM
I'm trying to generate an Alert in Sentinel when someone adds or removes users from the role groups in the Compliance Center (built in RBAC system). I am using the Office 365 activity connector but there seems to be no corresponding events generated when these memberships are changed.
If I look in the audit looks of the Compliance Center here too the descriptions of these actions seem quite vague.
Does anyone know a better way to monitor these RBAC role groups for the Compliance center in Sentinel?
Sep 23 2021 08:01 AM
Hey @brlgen,
RBAC activities are captured under Audit Log table, you can use below queries for analytics rule.
User Added To RBAC Group
AuditLogs
| where OperationName == "Add member to group"
| where Category == "GroupManagement"
| extend InitiatedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| where isnotempty(InitiatedByUser)
| extend GroupName = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))
| extend TargetedUser = tostring(TargetResources[0].userPrincipalName)
| where AADOperationType == "Assign"
| where Result == "success"
| project InitiatedByUser, TargetedUser, GroupName, OperationName, Result, AADOperationType
User Removed From RBAC Group
AuditLogs
| where OperationName == "Remove member from group"
| where Category == "GroupManagement"
| extend InitiatedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| where isnotempty(InitiatedByUser)
| extend GroupName = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].oldValue)))
| extend TargetedUser = tostring(TargetResources[0].userPrincipalName)
| project InitiatedByUser, OperationName, TargetedUser, GroupName, Result, AADOperationType
If you want, I can help you to create a single analytics rule for both activity.
Sep 23 2021 08:49 AM