Sign-in logs and Azure AD groups

Alexander_Ceyran · ‎Mar 22 2020

Hello everyone,

I'm still new to Sentinel, my aim is to use a KQL query to retrieve some sign-in logs and filter them by displaying sign-ins for members of a specific Azure AD Group only.

When using "SigninLogs" I can't identify a field for group membership. I'm thinking about using the "identity" field to correlate users with groups but I'm still not able to find a way to that.

Do you have some similar experience to share?

Thanks for your help

Alex

rodtrent · ‎Mar 22 2020

@Alexander_Ceyran There is nothing that you can access directly in Azure Sentinel although the information is available in the Graph API. You may be able to write a PowerApp that will copy that data into an Azure Blog and then you can use the externaldata command to read that.

This blog post also talks a bit about using the Graph API so it may be of use: https://techcommunity.microsoft.com/t5/azure-sentinel/bring-your-threat-intelligence-to-azure-sentin...

Not the best solution but it should work. BTW, you can use the KQL command search to search all the tables for a specific value like an AAD group to see if you can find it.

Gary Bushey · ‎Mar 22 2020

Another useful blog post: https://techcommunity.microsoft.com/t5/azure-sentinel/ingesting-office-365-alerts-with-graph-securit...

Alexander_Ceyran · ‎Mar 23 2020

@Gary Bushey Thanks for your help , I used externaldata with a csv file (The file is stored in a blob container) containing the UPN of all members of the group, just to share my solution with others:

let grouplist = externaldata (Members: string) [h"https://...file.csv"];
SigninLogs
| where UserPrincipalName !in~ (grouplist)

Sign-in logs and Azure AD groups

Sign-in logs and Azure AD groups

Re: Sign-in logs and Azure AD groups

Re: Sign-in logs and Azure AD groups

Re: Sign-in logs and Azure AD groups

Products (65)

Special Topics (44)

Video Hub (978)

Most Active Hubs

Most Active Hubs

Video Hub

Sign-in logs and Azure AD groups