Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Generate alert when changes made to the RBAC of Compliance Center

Brass Contributor

I'm trying to generate an Alert in Sentinel when someone adds or removes users from the role groups in the Compliance Center (built in RBAC system). I am using the Office 365 activity connector but there seems to be no corresponding events generated when these memberships are changed. 

 

If I look in the audit looks of the Compliance Center here too the descriptions of these actions seem quite vague.

 

Does anyone know a better way to monitor these RBAC role groups for the Compliance center in Sentinel?

2 Replies

Hey @brlgen

 

RBAC activities are captured under Audit Log table, you can use below queries for analytics rule. 

 

User Added To RBAC Group

AuditLogs
| where OperationName == "Add member to group"
| where Category == "GroupManagement"
| extend InitiatedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| where isnotempty(InitiatedByUser)
| extend GroupName = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))
| extend TargetedUser = tostring(TargetResources[0].userPrincipalName)
| where AADOperationType == "Assign"
| where Result == "success"
| project InitiatedByUser,  TargetedUser, GroupName, OperationName, Result, AADOperationType

 

 User Removed From RBAC Group

AuditLogs
| where OperationName == "Remove member from group"
| where Category == "GroupManagement"
| extend InitiatedByUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| where isnotempty(InitiatedByUser)
| extend GroupName = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].oldValue)))
| extend TargetedUser = tostring(TargetResources[0].userPrincipalName)
| project InitiatedByUser,  OperationName, TargetedUser, GroupName,  Result, AADOperationType

 

If you want, I can help you to create a single analytics rule for both activity.

Hi @deshantshukla, the queries you shared are for Azure AD RBAC. I'm looking for monitoring the changes to the RBAC of "Compliance Center" which has its own RBAC system.