Forum Discussion

Marc_Jacquard's avatar
Marc_Jacquard
Copper Contributor
Jul 16, 2021

Azure Sentinel rule to identify if user has not produced any events in 60 days

I am working on a rule that uses a watchlist of elevated accounts. What I am trying to create is a rule that will tell me if one of these elevated accounts has not been used in over 60 days so we can...
  • m_zorich's avatar
    m_zorich
    Jul 20, 2021
    Assuming you have just listed your userprincipalnames in your watchlist, and your on premise account is just part before the @ then these two should work. When joining you need to have a column that matches on both sides (your query and your watchlist). For signinlogs userprincipalname is fine because that's what Azure AD uses to identify people. We will just rename userprincipalname to username to match your watchlist. I added ResultType = 0 to only get successful signins, but you can remove if you want

    let adminlist = (_GetWatchlist("Elevated_accounts")|project UserName);
    SigninLogs
    | where TimeGenerated > ago (30d)
    | extend UserName = UserPrincipalName
    | where UserName in (adminlist)
    | where ResultType == 0
    | distinct UserName
    | join kind=rightanti adminlist on UserName

    For SecurityEvent we want to use TargetUserName, so we will rename it when we set our variable and trim the @yourdomain.com part out

    let adminlist = _GetWatchlist("Elevated_accounts")|extend TargetUserName = trim_end(@"@(.*)", UserName)|project TargetUserName;
    SecurityEvent
    | where TimeGenerated > ago(30d)
    | where TargetUserName in (adminlist)
    | distinct TargetUserName
    | join kind = rightanti adminlist on TargetUserName

    Try those and let me know

Resources