Forum Discussion

MiguelCuba's avatar
MiguelCuba
Copper Contributor
Oct 12, 2022

Analytic rule does not tigger an incident in sentinel using watchlist

Hello.

I have an issue with an analytic rule. This analytic read a watchlist to exclude some and show other users that remove other ones from specific groups.

 

 

 

let watchlst_ =_GetWatchlist('SS-PE-PAC-WL-Grp_Pacifico_MFA_BYOD_Users')
    | project SearchKey;
AuditLogs
| extend AccountID = tostring(parse_json(tostring(InitiatedBy.user)).id)
| extend AccountUPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| where OperationName in~ ('Remove member from group', 'Remove owner from group')
| extend oldValue_ = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].oldValue)))
| extend oldValueID_ = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0].oldValue)))
| extend newValue_ = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))
| extend newValueID_ = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0].newValue)))
| extend AccountUPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend Afectado = tostring(TargetResources[0].userPrincipalName)
| where oldValue_ in ('Grp_Pacifico_MFA_BYOD_Users', 'Grp_Office365_MFA_External_Users', 'Grp_Pacifico_Home_Office_Users', ' Grp_Pacifico_Home_Office_BYOD_Users_MAC', 'Grp_Test_Sentinel') or newValue_ in ('Grp_Pacifico_MFA_BYOD_Users', 'Grp_Office365_MFA_External_Users', 'Grp_Pacifico_Home_Office_Users', ' Grp_Pacifico_Home_Office_BYOD_Users_MAC', 'Grp_Test_Sentinel')
| join kind = inner SigninLogs on $left.AccountID == $right.UserId
| where UserId !in~ (watchlst_)
| summarize
    by
    TimeGenerated,
    AccountUPN,
    Afectado,
    CorrelationId,
    oldValue_,
    newValue_,
    oldValueID_

 

 

 

 

Output:

 

Everything seems working fine until you deploy a sample test and this rule is not triggering an incident in Sentinel. Evenly when you go to "View query results" at the Set rule logic menu there are not results unless you change the time range manually and this alternative is not possible because this analytic rule has a query scheduling every 7 minutes.

 

analytics
KQL
siem

2 Replies

  • Clive_Watson's avatar
    Clive_Watson
    Bronze Contributor
    Oct 12, 2022
    The gap between Rows in the output screenshot is larger than 7mins. So, unless you have data within that lookback period there wouldn't be an alert.

    Have you increased the "lookup data from the last" field as a test to 1d or something?
    • MiguelCuba's avatar
      MiguelCuba
      Copper Contributor
      Oct 12, 2022

      Hi Clive_Watson 

      Yes, actually I ran a sample test more than 7 minutes before I checked the Incidents blade.