Update a watchlist via logic apps (AAD groups)

Question

Update a watchlist via logic apps (AAD groups)

Daniel Long 20

Hey,

I would like to build a sentinel watchlist from a dynamic list from an AAD group.
That way I can create analytics rules and dismiss any user in this particular watchlist.

I did try to use the identity info table however, it doesn't appear to be updated constantly so the rule doesn't work as I would like.

If there are better ways of doing it then it would be much appreciated.

Alfredo Revilla (MSFT) 25,146 Reputation points Microsoft Employee

2023-11-06T23:02:23.0366667+00:00

Hello @Daniel Long , please share steps required to reproduce your environment.
Clive Watson 4,246 Reputation points MVP

2023-11-07T08:52:43.5066667+00:00
Some parts of IdentityInfo are syn'c daily, some more often - I dont think there is an updated version of these limits.

Source:
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-identityinfo-table-is-now-in-public-preview/ba-p/2571037

After the initial sync, any changes to made in AAD to your users will be saved in LA in up to 15 minutes.

Groups & Roles are updated on a daily basis

Every 21 days we will resync your entire AAD directory, to make sure stale records are updated.

Note:

Deleted groups (user was removed from a group) is not supported yet. It will still be listed in the user’s groups membership.

We only support Azure Active Directory built-in roles for the assigned roles attribute.

The initial sync might take a few days (depending of the size of the tenant).
Clive Watson 4,246 Reputation points MVP

2023-11-07T13:26:15.3866667+00:00

Sorry I forgot to add, you can also use a Playbook to acess the Group directly - one example, that uses a specific Group, but you can follow the logic and create similar https://github.com/Azure/Azure-Sentinel/tree/51b0fe8ba764c74e2fa6ec136166443204c8b51c/Playbooks/Update-VIPUsers-Watchlist-from-AzureAD-Group

Alfredo Revilla (MSFT) 25,146 Reputation points Microsoft Employee

2023-11-06T23:02:23.0366667+00:00

Hello @Daniel Long , please share steps required to reproduce your environment.
Clive Watson 4,246 Reputation points MVP

2023-11-07T08:52:43.5066667+00:00

Some parts of IdentityInfo are syn'c daily, some more often - I dont think there is an updated version of these limits.

Source:
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-identityinfo-table-is-now-in-public-preview/ba-p/2571037

After the initial sync, any changes to made in AAD to your users will be saved in LA in up to 15 minutes.

Groups & Roles are updated on a daily basis

Every 21 days we will resync your entire AAD directory, to make sure stale records are updated.

Note:

Deleted groups (user was removed from a group) is not supported yet. It will still be listed in the user’s groups membership.

We only support Azure Active Directory built-in roles for the assigned roles attribute.

The initial sync might take a few days (depending of the size of the tenant).
Clive Watson 4,246 Reputation points MVP

2023-11-07T13:26:15.3866667+00:00

Sorry I forgot to add, you can also use a Playbook to acess the Group directly - one example, that uses a specific Group, but you can follow the logic and create similar https://github.com/Azure/Azure-Sentinel/tree/51b0fe8ba764c74e2fa6ec136166443204c8b51c/Playbooks/Update-VIPUsers-Watchlist-from-AzureAD-Group

Update a watchlist via logic apps (AAD groups)

Activity