Skip to content

Commit e52a733

Browse files
Merge pull request #216150 from yelevin/yelevin/whats-new-aadip-identityinfo
Added new AADIP message to What's New
2 parents 2152cb2 + ea0c746 commit e52a733

File tree

1 file changed

+44
-0
lines changed

1 file changed

+44
-0
lines changed

articles/sentinel/whats-new.md

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,10 +27,54 @@ If you're looking for items older than six months, you'll find them in the [Arch
2727
2828
## October 2022
2929

30+
- [Account enrichment fields removed from Azure AD Identity Protection connector](#account-enrichment-fields-removed-from-azure-ad-identity-protection-connector)
3031
- [Microsoft 365 Defender now integrates Azure Active Directory Identity Protection (AADIP)](#microsoft-365-defender-now-integrates-azure-active-directory-identity-protection-aadip)
3132
- [Out of the box anomaly detection on the SAP audit log (Preview)](#out-of-the-box-anomaly-detection-on-the-sap-audit-log-preview)
3233
- [IoT device entity page (Preview)](#iot-device-entity-page-preview)
3334

35+
### Account enrichment fields removed from Azure AD Identity Protection connector
36+
37+
As of **September 30, 2022**, alerts coming from the **Azure Activity Directory Information Protection connector** no longer contain the following fields:
38+
39+
- CompromisedEntity
40+
- ExtendedProperties["User Account"]
41+
- ExtendedProperties["User Name”]
42+
43+
We are working to adapt Microsoft Sentinel's built-in queries and other operations affected by this change to look up these values in other ways (using the *IdentityInfo* table).
44+
45+
In the meantime, or if you've built any custom queries or rules directly referencing these fields, you'll need another way to get this information. Use the following two-step process to have your queries look up these values in the *IdentityInfo* table:
46+
47+
1. If you haven't already, **enable the UEBA solution** to sync the *IdentityInfo* table with your Azure AD logs. Follow the instructions in [this document](enable-entity-behavior-analytics.md).
48+
(If you don't intend to use UEBA in general, you can ignore the last instruction about selecting data sources on which to enable entity behavior analytics.)
49+
50+
1. Incorporate the query below in your existing queries or rules to look up this data by joining the *SecurityAlert* table with the *IdentityInfo* table.
51+
52+
```kusto
53+
SecurityAlert
54+
| where TimeGenerated > ago(7d)
55+
| where ProductName == "Azure Active Directory Identity Protection"
56+
| mv-expand Entity = todynamic(Entities)
57+
| where Entity.Type == "account"
58+
| extend AadTenantId = tostring(Entity.AadTenantId)
59+
| extend AadUserId = tostring(Entity.AadUserId)
60+
| join kind=inner (
61+
IdentityInfo
62+
| where TimeGenerated > ago(14d)
63+
| distinct AccountTenantId, AccountObjectId, AccountUPN, AccountDisplayName
64+
| extend UserAccount = AccountUPN
65+
| extend UserName = AccountDisplayName
66+
| where isnotempty(AccountDisplayName) and isnotempty(UserAccount)
67+
| project AccountTenantId, AccountObjectId, UserAccount, UserName
68+
)
69+
on
70+
$left.AadTenantId == $right.AccountTenantId,
71+
$left.AadUserId == $right.AccountObjectId
72+
| extend CompromisedEntity = iff(CompromisedEntity == "N/A" or isempty(CompromisedEntity), UserAccount, CompromisedEntity)
73+
| project-away AadTenantId, AadUserId, AccountTenantId, AccountObjectId
74+
```
75+
76+
For information on looking up data to replace enrichment fields removed from the UEBA UserPeerAnalytics table, See [Heads up: Name fields being removed from UEBA UserPeerAnalytics table](#heads-up-name-fields-being-removed-from-ueba-userpeeranalytics-table) for a sample query.
77+
3478
### Microsoft 365 Defender now integrates Azure Active Directory Identity Protection (AADIP)
3579
3680
As of **October 24, 2022**, [Microsoft 365 Defender](/microsoft-365/security/defender/) will be integrating [Azure Active Directory Identity Protection (AADIP)](../active-directory/identity-protection/index.yml) alerts and incidents. Customers can choose between three levels of integration:

0 commit comments

Comments
 (0)