Azure Sentinel – IdentityInfo table [Public Preview]
Prerequisite
Enable UEBA – Use entity behavior analytics to detect advanced threats
If already have UEBA enabled, you will notice that a new table called ‘IdentityInfo’ is now available under ‘Azure Sentinel UEBA’ group in your Log Analytics.
The Identity info table contains a snapshot of the user’s profile: metadata information, groups membership, Azure AD roles assigned and UEBA enrichments
Note
- Once UEBA is enabled, all your AAD users will be into the ‘IdentityInfo’ table
- Default retention time for the table is 30 days
- After the initial sync, any changes to made in AAD to your users will be saved in Log Analytics in up to 15 minutes.
- Groups & Roles are updated on a daily basis
- Every 21 days we will resync your entire AAD directory, to make sure stale records are updated.
- Note:
- Deleted groups (user was removed from a group) is not supported yet. It will still be listed in the user’s groups membership.
- Microsoft only supports Azure Active Directory built-in roles for the assigned roles attribute.
- The initial sync might take a few days (depending of the size of the tenant).
The IdentityInfo table
The table contains the following information :
- AccountCloudSID
- AccountCreationTime
- AccountDisplayName
- AccountDomain
- AccountName
- AccountObjectId
- AccountSID
- AccountTenantId
- AccountUPN
- AdditionalMailAddresses
- AssignedRoles
- City
- Country
- DeletedDateTime
- Department
- GivenName
- GroupMembership
- IsAccountEnabled
- JobTitle
- MailAddress
- Manager
- OnPremisesDistinguishedName
- Phone
- SourceSystem
- State
- StreetAddress
- Surname
- TenantId
- TimeGenerated
- Type
- UserType
Benefits
It will permit you to launch queries and investigate, such as :
- Check users who are members of a specific group
- Identify guests accounts in the tenant
- Identify cloud-only users
- Check users who have privileged roles
- Check if a server is accessed by someone who are not really legitimate
Whats’s next ?
IdentityInfo table features to come:
- Applications
- Blast Radius
- EmployeeId
- Extension property from AAD
- Investigation priority – risk score
- Is MFA registered
- Last seen date
- On-prem extension property
- AAD IP risk level and state
- Related service principals
- Tags
- UACFlags
- UserState
- UserStateChangedOn
No Comments