KQL Search

Query Details

Detection Enrichment Entra Group Membership

Query

# Detection Enrichment - Entra Group Membership Enriched

## Query Information

#### Description
Sentinel Data Lake job to put an aggregated table of group memberships in LAW for filtering/enrichment in detections and automations.

#### References
- https://learn.microsoft.com/en-us/azure/sentinel/datalake/enable-data-connectors


## Sentinel
```KQL
EntraGroupMemberships
| where TimeGenerated > ago(3d)
| summarize arg_max(TimeGenerated, *) by sourceId, targetId
| join kind=leftouter (EntraGroups | where TimeGenerated > ago(3d) |  summarize arg_max(TimeGenerated, TimeGenerated, description, displayName, groupTypes, mailNickname) by id ) on $left.sourceId == $right.id
| project GroupId = sourceId, ObjectId = targetId, tenantId, organizationId, GroupDescription = description, GroupDisplayName = displayName, groupTypes, mailNickname
```

Explanation

This query is designed to create an enriched dataset of group memberships from Entra (Azure Active Directory) data, which can be used for filtering and enhancing security detections and automations in Microsoft Sentinel. Here's a simplified breakdown of what the query does:

  1. Data Source: It starts by accessing the EntraGroupMemberships table, which contains records of group memberships.

  2. Time Filter: It filters the data to include only records generated in the last 3 days.

  3. Aggregation: It uses the summarize function to get the most recent record for each unique combination of sourceId (group) and targetId (member) based on the TimeGenerated timestamp.

  4. Joining Data: The query performs a left outer join with the EntraGroups table, which contains details about the groups themselves, such as descriptions and display names. This join is also filtered to include only records from the last 3 days.

  5. Projection: Finally, it selects and renames specific columns to create a more useful output. The resulting dataset includes:

    • GroupId: The ID of the group.
    • ObjectId: The ID of the member.
    • tenantId and organizationId: Identifiers for the tenant and organization.
    • GroupDescription: The description of the group.
    • GroupDisplayName: The display name of the group.
    • groupTypes: The types of the group.
    • mailNickname: The mail nickname of the group.

This enriched dataset can then be used in security operations to better understand group memberships and enhance threat detection and response activities.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: February 10, 2026

Tables

EntraGroupMembershipsEntraGroups

Keywords

EntraGroupMembershipsEntraGroupsGroupIdObjectIdTenantIdOrganizationIdGroupDescriptionGroupDisplayNameGroupTypesMailNickname

Operators

whereagosummarizearg_maxbyjoinkindonproject

Actions