Mar 22 2020 07:20 AM
Hello everyone,
I'm still new to Sentinel, my aim is to use a KQL query to retrieve some sign-in logs and filter them by displaying sign-ins for members of a specific Azure AD Group only.
When using "SigninLogs" I can't identify a field for group membership. I'm thinking about using the "identity" field to correlate users with groups but I'm still not able to find a way to that.
Do you have some similar experience to share?
Thanks for your help
Alex
Mar 22 2020 09:19 AM
Solution@Alexander_Ceyran There is nothing that you can access directly in Azure Sentinel although the information is available in the Graph API. You may be able to write a PowerApp that will copy that data into an Azure Blog and then you can use the externaldata command to read that.
This blog post also talks a bit about using the Graph API so it may be of use: https://techcommunity.microsoft.com/t5/azure-sentinel/bring-your-threat-intelligence-to-azure-sentin...
Not the best solution but it should work. BTW, you can use the KQL command search to search all the tables for a specific value like an AAD group to see if you can find it.
Mar 22 2020 11:26 AM
Another useful blog post: https://techcommunity.microsoft.com/t5/azure-sentinel/ingesting-office-365-alerts-with-graph-securit...
Mar 23 2020 04:07 PM
@Gary Bushey Thanks for your help , I used externaldata with a csv file (The file is stored in a blob container) containing the UPN of all members of the group, just to share my solution with others:
let grouplist = externaldata (Members: string) [h"https://...file.csv"];
SigninLogs
| where UserPrincipalName !in~ (grouplist)
Apr 30 2024 10:37 AM
Apr 30 2024 02:28 PM
IdentityInfo was released in 2021 What's new: IdentityInfo table is now in public preview! - Microsoft Community Hub
So you can do things like this very basic example, with the UEBA data:
SigninLogs
| where TimeGenerated > ago(30d)
| where ClientAppUsed in ("Browser", "Exchange ActiveSync", "IMAP4", "Mobile Apps and Desktop clients", "Other clients", "POP3", "SMTP")
| summarize arg_max(TimeGenerated, *) by UserPrincipalName
| project UserPrincipalName, TimeGenerated
| join kind=leftouter
(
IdentityInfo
| where TimeGenerated > ago(30d)
| summarize arg_max(TimeGenerated, *) by AccountUPN
| project GroupMembership, AccountUPN
) on $left.UserPrincipalName == $right.AccountUPN
Apr 30 2024 03:42 PM
Mar 22 2020 09:19 AM
Solution@Alexander_Ceyran There is nothing that you can access directly in Azure Sentinel although the information is available in the Graph API. You may be able to write a PowerApp that will copy that data into an Azure Blog and then you can use the externaldata command to read that.
This blog post also talks a bit about using the Graph API so it may be of use: https://techcommunity.microsoft.com/t5/azure-sentinel/bring-your-threat-intelligence-to-azure-sentin...
Not the best solution but it should work. BTW, you can use the KQL command search to search all the tables for a specific value like an AAD group to see if you can find it.