Azure Sentinel – IdentityInfo table [Public Preview]
Enable UEBA – Use entity behavior analytics to detect advanced threats
If already have UEBA enabled, you will notice that a new table called ‘IdentityInfo’ is now available under ‘Azure Sentinel UEBA’ group in your Log Analytics.
The Identity info table contains a snapshot of the user’s profile: metadata information, groups membership, Azure AD roles assigned and UEBA enrichments
- Once UEBA is enabled, all your AAD users will be into the ‘IdentityInfo’ table
- Default retention time for the table is 30 days
- After the initial sync, any changes to made in AAD to your users will be saved in Log Analytics in up to 15 minutes.
- Groups & Roles are updated on a daily basis
- Every 21 days we will resync your entire AAD directory, to make sure stale records are updated.
- Deleted groups (user was removed from a group) is not supported yet. It will still be listed in the user’s groups membership.
- Microsoft only supports Azure Active Directory built-in roles for the assigned roles attribute.
- The initial sync might take a few days (depending of the size of the tenant).
The IdentityInfo table
The table contains the following information :
It will permit you to launch queries and investigate, such as :
- Check users who are members of a specific group
- Identify guests accounts in the tenant
- Identify cloud-only users
- Check users who have privileged roles
- Check if a server is accessed by someone who are not really legitimate
Whats’s next ?
IdentityInfo table features to come:
- Blast Radius
- Extension property from AAD
- Investigation priority – risk score
- Is MFA registered
- Last seen date
- On-prem extension property
- AAD IP risk level and state
- Related service principals