Query Details
Identify Microsoft Sentinel Changes From Users Not Defined Within Approved User Groups
Query
# Identify Microsoft Sentinel changes from users not defined within approved user groups # Description The following query takes into account ExposureGraphEdges, IdentityInfo and SentinelAudit and will allow you to identify if a user outside of the user groups defined to have access to Microsoft Sentinel, made any changes. ### Microsoft Sentinel & Defender XDR ``` let EntraGroups = dynamic(["SentinelAdmins", "XDRAdmins"]); // Define your user groups of interest here let Timeframe = ago(7d); // Define the required Timeframe let UserInformation = ExposureGraphEdges | where EdgeLabel == "member of" | where SourceNodeLabel == "user" | where not(TargetNodeName has_any (EntraGroups)) | extend EntraGroup = tostring(EntraGroups) | project SourceNodeName, EntraGroup | join kind=leftouter IdentityInfo on $left.SourceNodeName == $right.AccountDisplayName | summarize by SourceNodeName, EntraGroup, EmailAddress | project SourceNodeName, EntraGroup, EmailAddress; SentinelAudit | where Status == @"Success" | where TimeGenerated > Timeframe | extend CallerEmailName = tostring(parse_json(ExtendedProperties)["CallerName"]) | project TimeGenerated, CallerEmailName, OperationName, SentinelResourceName, Description, SentinelResourceType | join kind=inner UserInformation on $left.CallerEmailName == $right.EmailAddress | sort by TimeGenerated desc ``` ### Versioning | Version | Date | Comments | | ------------- |---------------| ---------------------------------------| | 1.0 | 30/06/2025 | Initial publish |
Explanation
This query is designed to identify any changes made in Microsoft Sentinel by users who are not part of specified approved user groups. Here's a simplified breakdown of what the query does:
-
Define User Groups and Timeframe:
- It specifies two user groups of interest: "SentinelAdmins" and "XDRAdmins".
- It sets a timeframe to look back over the last 7 days.
-
Identify Users Outside Approved Groups:
- It examines the
ExposureGraphEdgestable to find users who are members of groups. - It filters out users who are not part of the specified approved groups ("SentinelAdmins" or "XDRAdmins").
- It collects information about these users, including their names and email addresses, by joining with the
IdentityInfotable.
- It examines the
-
Check for Unauthorized Changes:
- It looks at the
SentinelAudittable to find successful operations (changes) made in Microsoft Sentinel. - It filters these operations to only include those that occurred within the specified timeframe (last 7 days).
- It extracts the email address of the user who made each change.
- It joins this data with the previously identified users who are not in the approved groups.
- It looks at the
-
Output:
- The query outputs a list of changes made in Microsoft Sentinel by users who are not part of the approved groups, sorted by the time the change was made.
In summary, this query helps in auditing and ensuring that only authorized users (from specified groups) are making changes in Microsoft Sentinel, by flagging any changes made by users outside these groups.
Details
Michalis Michalos
Released: June 30, 2025
Tables
ExposureGraphEdgesIdentityInfoSentinelAudit
Keywords
ExposureGraphEdgesIdentityInfoSentinelAuditMicrosoftSentinelDefenderXDRUserGroupsEmailAddressOperationNameResourceNameResourceType
Operators
letdynamicagowherehas_anyextendtostringprojectjoinkind=leftouteronsummarizebyjoinkind=innersort bydescparse_json