PortiBlog

Using Azure Sentinel for insights in Workplace Occupancy

17 augustus 2020

Azure Sentinel provides a great overview of security events in your organization. You can collect security events at a large scale. Now there are quite a few blogs about all the things you can do with it and I am by no means an expert. However, since we are all slowly going back to the office after working from home for a long period of time, we had an interesting use case. Like most companies we have built a nice app to book a working place at the office and we have been able to accommodate most people in working from the office when it makes sense.

Yet, sometimes you want to have some reporting capabilities as well. But we didn’t want to start scanning presence based on GPS or Key Tags or extending the App to phone home and tell us where people were. So we ended up looking at Azure Sentinel.

You can log all Office 365 Audit data to Azure Sentinel with the [O365 Log connector](https://docs.microsoft.com/en-us/azure/sentinel/connect-office-365). The cool thing about that is that it is ‘free’ if you want to capture only the last seven days of information. Now in our case we wanted to make sure that there were not too many people at one of our office locations. Seven days is sufficient for that case, and there is no need to buy additional resources.

Once you have the Unified Audit Log enabled and have setup a Log Analytics workspace, you can play around with the data you have. Keep in mind that the data is not ‘real time’ and there is a slight delay before data shows up in your logs. With the O365 log connector configured, all O365 data ends up in the OfficeActivity bucket. You can query this bucket and get some additional data. In our case we needed a query that returns all entries from a specific office location (based on IP address) and only within a specific timeframe.

```sql
OfficeActivity
 where TimeGenerated > ago(24h)
| where Client_IPAddress == "OfficeIP"
```

Once you have that data you can group by the User Identifier (UserId), or UserKey if you do not want the UPN to be visible. By grouping and summarizing the data you get an overview of when a user has logged in during that 24h timeframe.

```sql
OfficeActivity
| where TimeGenerated > ago(24h)
| where Client_IPAddress == "OfficeIP"
| summarize count(), max(TimeGenerated) by UserId
```

Resulting in a nice report with all your users that have logged in during the last 24 hours.17082020_Portiblog-Azure-Sentinel

If you are not comfortable with the UPN showing up, you can use the UserKey, as that does not show identifiable information directly in the report.

Once you have this report in place you can also add alert rules. An alert rule could be to send an email to your HR department if there are too many people on your office location. Or you can ‘disable’ the registration app and prevent new people to book a slot. Sending emails is the default option and just would serve as a notification. But as with all alert rules you can also add your own Logic App or Function to trigger custom events. Using a Logic App or Function you could even disable key tags so people cannot open the front door.

Given the fact that Sentinel might not be built for this, it still was a fun way to play around with data already present and make our office a bit safer all while learning about new stuff!

Originally posted at: https://www.cloudappie.nl/azure-sentinel-workplace-occupancy

 

Submit a comment