Azure Sentinel - IdentityInfo table [Public Preview]

Azure Sentinel – IdentityInfo table [Public Preview]

Prerequisite

Enable UEBA – Use entity behavior analytics to detect advanced threats

If already have UEBA enabled, you will notice that a new table called ‘IdentityInfo’ is now available under ‘Azure Sentinel UEBA’ group in your Log Analytics.

The Identity info table contains a snapshot of the user’s profile: metadata information, groups membership, Azure AD roles assigned and UEBA enrichments

thumbnail image 1 captioned IdentityInfo table in the Logs blade

Note

Once UEBA is enabled, all your AAD users will be into the ‘IdentityInfo’ table
Default retention time for the table is 30 days
After the initial sync, any changes to made in AAD to your users will be saved in Log Analytics in up to 15 minutes.
Groups & Roles are updated on a daily basis
Every 21 days we will resync your entire AAD directory, to make sure stale records are updated.
Note:
- Deleted groups (user was removed from a group) is not supported yet. It will still be listed in the user’s groups membership.
- Microsoft only supports Azure Active Directory built-in roles for the assigned roles attribute.
- The initial sync might take a few days (depending of the size of the tenant).

The IdentityInfo table

The table contains the following information :

AccountCloudSID
AccountCreationTime
AccountDisplayName
AccountDomain
AccountName
AccountObjectId
AccountSID
AccountTenantId
AccountUPN
AdditionalMailAddresses
AssignedRoles
City
Country
DeletedDateTime
Department
GivenName
GroupMembership
IsAccountEnabled
JobTitle
MailAddress
Manager
OnPremisesDistinguishedName
Phone
SourceSystem
State
StreetAddress
Surname
TenantId
TimeGenerated
Type
UserType

Benefits

It will permit you to launch queries and investigate, such as :

Check users who are members of a specific group
Identify guests accounts in the tenant
Identify cloud-only users
Check users who have privileged roles
Check if a server is accessed by someone who are not really legitimate

Whats’s next ?

IdentityInfo table features to come:

Applications
Blast Radius
EmployeeId
Extension property from AAD
Investigation priority – risk score
Is MFA registered
Last seen date
On-prem extension property
AAD IP risk level and state
Related service principals
Tags
UACFlags
UserState
UserStateChangedOn

Source

What’s new: IdentityInfo table is now in public preview!

M	T	W	T	F	S	S
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

Cookie	Duration	Description
__gads	1 year 24 days	The __gads cookie, set by Google, is stored under DoubleClick domain and tracks the number of times users see an advert, measures the success of the campaign and calculates its revenue. This cookie can only be read from the domain they are set on and will not track any data while browsing through other sites.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
ANONCHK	10 minutes	The ANONCHK cookie, set by Bing, is used to store a user's session ID and also verify the clicks from ads on the Bing search engine. The cookie helps in reporting and personalization as well.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
MUID	1 year 24 days	Bing sets this cookie to recognize unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.

Cookie	Duration	Description
_clck	1 year	No description
_clsk	1 day	No description
ApplicationGatewayAffinityCORS	session	No description available.
CLID	1 year	No description
GoogleAdServingTest	session	No description
LiSESSIONID	session	No description available.
LithiumUserInfo	past	No description
LithiumUserSecure	past	No description
LithiumVisitor	1 year	No description available.
original_req_url	past	No description
SM	session	No description available.
SRM_B	1 year 24 days	No description available.

Azure Sentinel – IdentityInfo table [Public Preview]

Azure Sentinel – IdentityInfo table [Public Preview]

Prerequisite

Note

The IdentityInfo table

Benefits

Whats’s next ?

Source

No Comments

Add your comment Cancel reply

Thibault CHÂTIRON

Follow Blog via Email

Recent Posts

Categories

Archives