cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Sign-in logs and Azure AD groups

Alexander_Ceyran
Copper Contributor

‎Mar 22 2020 07:20 AM

‎Mar 22 2020 07:20 AM

Sign-in logs and Azure AD groups

Hello everyone,

 

I'm still new to Sentinel, my aim is to use a KQL query to retrieve some sign-in logs and filter them by displaying sign-ins for members of a specific Azure AD Group only.

When using "SigninLogs" I can't identify a field for group membership. I'm thinking about using the "identity" field to correlate users with groups but I'm still not able to find a way to that.

 

Do you have some similar experience to share?

 

Thanks for your help

Alex

6,456 Views
0 Likes
6 Replies
Reply
6 Replies
best response confirmed by Rod_Trent (Microsoft)
Gary Bushey

‎Mar 22 2020 09:19 AM

‎Mar 22 2020 09:19 AM

Solution

Re: Sign-in logs and Azure AD groups

@Alexander_Ceyran There is nothing that you can access directly in Azure Sentinel although the information is available in the Graph API.  You may be able to write a PowerApp that will copy that data into an Azure Blog and then you can use the externaldata command to read that.

 

This blog post also talks a bit about using the Graph API so it may be of use: https://techcommunity.microsoft.com/t5/azure-sentinel/bring-your-threat-intelligence-to-azure-sentin...

 

Not the best solution but it should work.  BTW, you can use the KQL command search to search all the tables for a specific  value like an AAD group to see if you can find it.

1 Like
Reply
Alexander_Ceyran

‎Mar 23 2020 04:07 PM

‎Mar 23 2020 04:07 PM

Re: Sign-in logs and Azure AD groups

@Gary Bushey Thanks for your help , I used externaldata with a csv file (The file is stored in a blob container) containing the UPN of all members of the group, just to share my solution with others:


let grouplist = externaldata (Members: string) [h"https://...file.csv"];
SigninLogs
| where UserPrincipalName !in~ (grouplist) 

 

 

0 Likes
Reply
Secureskydev

‎Apr 30 2024 10:37 AM

‎Apr 30 2024 10:37 AM

Re: Sign-in logs and Azure AD groups

I saw a kql (below) that is accessing the graph API directly, but I get a generic error. Is there a permission or workspace setting?

SigninLogs
| where TimeGenerated > ago(30d)
| where ClientAppUsed in ("Browser", "Exchange ActiveSync", "IMAP4", "Mobile Apps and Desktop clients", "Other clients", "POP3", "SMTP")
| summarize arg_max(TimeGenerated, *) by UserPrincipalName
| project UserPrincipalName, TimeGenerated
| join kind=leftouter (
externaldata(displayName:string,lastSignInDateTime:datetime)
[@"https://graph.microsoft.com/v1.0/users?$select=displayName,signInActivity"]
with(format="json", ingestionMapping=[{"column":"displayName","path":"displayName"},{"column":"lastSignInDateTime","path":"signInActivity/lastSignInDateTime"}])
on $left.UserPrincipalName == $right.displayName
)
on UserPrincipalName
| project UserPrincipalName, TimeGenerated, lastSignInDateTime
| where lastSignInDateTime < ago(90d)
| extend AccountCustomEntity = UserPrincipalName
0 Likes
Reply
Clive_Watson

‎Apr 30 2024 02:28 PM

‎Apr 30 2024 02:28 PM

Re: Sign-in logs and Azure AD groups

@Secureskydev 

 

IdentityInfo was released in 2021 What's new: IdentityInfo table is now in public preview! - Microsoft Community Hub

So you can do things like this very basic example, with the UEBA data:

SigninLogs
| where TimeGenerated > ago(30d)
| where ClientAppUsed in ("Browser", "Exchange ActiveSync", "IMAP4", "Mobile Apps and Desktop clients", "Other clients", "POP3", "SMTP")
| summarize arg_max(TimeGenerated, *) by UserPrincipalName
| project UserPrincipalName, TimeGenerated
| join kind=leftouter 
(
    IdentityInfo
    | where TimeGenerated > ago(30d)
    | summarize arg_max(TimeGenerated, *) by AccountUPN
    | project GroupMembership, AccountUPN
) on $left.UserPrincipalName == $right.AccountUPN

  

0 Likes
Reply
Secureskydev

‎Apr 30 2024 03:42 PM

‎Apr 30 2024 03:42 PM

Re: Sign-in logs and Azure AD groups

We tried using identityInfo, but we found it didn't always have the current state (isAccountEnabled) and, in some cases, didn't have all the "old" enabled accounts (material differences on some clients) depending on lookback. Also, it nice having additional enrichment data last signing, registration, etc.

We are using a series of Log apps to push different types of enrichment data into the workspace. It would be nice to have the option to grab it directly, like Rod Trent's blog. It seem it was working for some folks
1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by Rod_Trent (Microsoft)
Gary Bushey

‎Mar 22 2020 09:19 AM

‎Mar 22 2020 09:19 AM

Solution

Re: Sign-in logs and Azure AD groups

@Alexander_Ceyran There is nothing that you can access directly in Azure Sentinel although the information is available in the Graph API.  You may be able to write a PowerApp that will copy that data into an Azure Blog and then you can use the externaldata command to read that.

 

This blog post also talks a bit about using the Graph API so it may be of use: https://techcommunity.microsoft.com/t5/azure-sentinel/bring-your-threat-intelligence-to-azure-sentin...

 

Not the best solution but it should work.  BTW, you can use the KQL command search to search all the tables for a specific  value like an AAD group to see if you can find it.

View solution in original post

1 Like
Reply