I started to create a solution, that would list logins based on the users Azure AD admin role. This can be achieved with the use of externalData() operator, and combination of Azure Workbooks,Storage and Functions.
Project description
- Show admin name and roles, and group events under username attribute
- Admin list is fetched from storageAccount, which provides the list for admins and roles
- The list is update every hour by Azure Function that has output binding to the Storage Account
- Change the desired daterange on picker below to extend monitoring range
Picture from the honeypot environment – Click the image for larger version
Logic to get updated list from Azure Function
Click picture for full size
Stay tuned for pt2
Br Joosua!
SecureCloudBlog 
0 comments on “Project Log 0 : Monitor logins by accounts assigned Azure AD roles”