Query Details
White List Find Who Accessed Azure Sentinelthat Should Not
Query
//Create a whitelist of users who should be able to access Azure Sentinel, then check to see if unauthorized users have performed activities. //Replace the users in the variable for AuthorizedUser with authorized accounts. Authorized account format is gleaned from AzureActivity/Caller let List = datatable(AuthorizedUser: string)["[email protected]", "[email protected]", "[email protected]"]; let timeframe = 1d; AzureActivity | where OperationNameValue has "MICROSOFT.SECURITYINSIGHTS" | where ActivityStatusValue == "Success" | where CategoryValue == "Administrative" | join kind= leftanti ( List | project Caller = tolower(AuthorizedUser) ) on Caller | extend AccountCustomEntity = Caller | extend IPCustomEntity = CallerIpAddress
Explanation
This query creates a list of authorized users who can access Azure Sentinel. It then checks if any unauthorized users have performed activities. The query filters for activities related to Microsoft Security Insights, with a status of "Success" and a category of "Administrative". It joins the list of authorized users with the activities, excluding any matches. Finally, it extends the AccountCustomEntity and IPCustomEntity columns with the Caller and CallerIpAddress values, respectively.
Details
Rod Trent
Released: January 8, 2021
Tables
AzureActivityList
Keywords
AzureSentinel,AzureActivity,AuthorizedUser,List,timeframe,OperationNameValue,MICROSOFT.SECURITYINSIGHTS,ActivityStatusValue,CategoryValue,Caller,CallerIpAddress
Operators
datatablewherehas==joinkind=leftantiprojecttoloweronextend