Azure Sentinel – IdentityInfo table [Public Preview]

News Informatique

Azure Sentinel – IdentityInfo table [Public Preview]

Prerequisite

Enable UEBA – Use entity behavior analytics to detect advanced threats

If already have UEBA enabled, you will notice that a new table called ‘IdentityInfo’ is now available under ‘Azure Sentinel UEBA’ group in your Log Analytics.

The Identity info table contains a snapshot of the user’s profile: metadata information, groups membership, Azure AD roles assigned and UEBA enrichments

thumbnail image 1 captioned IdentityInfo table in the Logs blade

Note

  • Once UEBA is enabled, all your AAD users will be into the ‘IdentityInfo’ table
  • Default retention time for the table is 30 days
  • After the initial sync, any changes to made in AAD to your users will be saved in Log Analytics in up to 15 minutes.
  • Groups & Roles are updated on a daily basis
  • Every 21 days we will resync your entire AAD directory, to make sure stale records are updated.
  • Note:
    • Deleted groups (user was removed from a group) is not supported yet. It will still be listed in the user’s groups membership.
    • Microsoft only supports Azure Active Directory built-in roles for the assigned roles attribute.
    • The initial sync might take a few days (depending of the size of the tenant).

The IdentityInfo table

The table contains the following information :

  • AccountCloudSID
  • AccountCreationTime
  • AccountDisplayName
  • AccountDomain
  • AccountName
  • AccountObjectId
  • AccountSID
  • AccountTenantId
  • AccountUPN
  • AdditionalMailAddresses
  • AssignedRoles
  • City
  • Country
  • DeletedDateTime
  • Department
  • GivenName
  • GroupMembership
  • IsAccountEnabled
  • JobTitle
  • MailAddress
  • Manager
  • OnPremisesDistinguishedName
  • Phone
  • SourceSystem
  • State
  • StreetAddress
  • Surname
  • TenantId
  • TimeGenerated
  • Type
  • UserType

Benefits

It will permit you to launch queries and investigate, such as :

  • Check users who are members of a specific group
  • Identify guests accounts in the tenant
  • Identify cloud-only users
  • Check users who have privileged roles
  • Check if a server is accessed by someone who are not really legitimate

Whats’s next ?

IdentityInfo table features to come:

  • Applications
  • Blast Radius
  • EmployeeId
  • Extension property from AAD
  • Investigation priority – risk score
  • Is MFA registered
  • Last seen date
  • On-prem extension property
  • AAD IP risk level and state
  • Related service principals
  • Tags
  • UACFlags
  • UserState
  • UserStateChangedOn

Source

What’s new: IdentityInfo table is now in public preview!

No Comments

Add your comment