Forum Discussion
Solved
Detection rule Admin Grant permission granted
Hello,
i have to deploy a rule that detects when a local user has recieved admin rights (or was added to a admin local group) and then this account made a loggin.
i have the tables that come from defender for endpoint, not security logs, wich would be very easy..
i have those queries that work fine separetly but i dont know how to make them a usuable alert. Any help?
DeviceEvents
| where ActionType contains "UserAccountAddedToLocalGroup"
| join kind=inner (
DeviceLogonEvents
| extend AF = parse_json(AdditionalFields)
| where IsLocalAdmin == 1 and AF.IsLocalLogon == "true"
Hey gpneira,
if I understand you correctly the query below should help you.First, it looks for 'UserAccountAddedToLocalGroup' and extends the necessary fields, especially AddedAccountSID . Then it joins this table with DeviceLogonEvents where AddedAccountSID == AddedAccountSID .
Please let me know if this worked for you.DeviceEvents | where ActionType == 'UserAccountAddedToLocalGroup' | extend AddedAccountSID = tostring(parse_json(AdditionalFields).MemberSid) | extend LocalGroup = AccountName | extend LocalGroupSID = AccountSid | extend Actor = trim(@"[^\w]+",InitiatingProcessAccountName) | join DeviceLogonEvents on $right.AccountSid == $left.AddedAccountSID | where IsLocalAdmin == 1 and AdditionalFields1.IsLocalLogon == true | project Timestamp, DeviceName, LocalGroup,LocalGroupSID, AddedAccountSID, Actor, ActionType
- To apply
- how what sorry?
Hey gpneira,
if I understand you correctly the query below should help you.First, it looks for 'UserAccountAddedToLocalGroup' and extends the necessary fields, especially AddedAccountSID . Then it joins this table with DeviceLogonEvents where AddedAccountSID == AddedAccountSID .
Please let me know if this worked for you.DeviceEvents | where ActionType == 'UserAccountAddedToLocalGroup' | extend AddedAccountSID = tostring(parse_json(AdditionalFields).MemberSid) | extend LocalGroup = AccountName | extend LocalGroupSID = AccountSid | extend Actor = trim(@"[^\w]+",InitiatingProcessAccountName) | join DeviceLogonEvents on $right.AccountSid == $left.AddedAccountSID | where IsLocalAdmin == 1 and AdditionalFields1.IsLocalLogon == true | project Timestamp, DeviceName, LocalGroup,LocalGroupSID, AddedAccountSID, Actor, ActionType- Hello dnsrk
Thank you very much for your response, i have deployed this rule right now but i dont have the test computer yet, until 3rd week of augost..I will implement this rule and test it,
in addition im thinking about it and im wondering if its possible to also do it like: One local user created and admin permission granted to this account recently created. I think this is even simplier right?
Im learning KQL and seeing your structure makes me really understand how it works, thank you very much- Hey, yes that's also possible to directly check the permissions.
Should look somehow like this. I do not have access to Sentinel to validate unfortunately:
DeviceEvents
| where ActionType == 'UserAccountAddedToLocalGroup'
| extend AddedAccountSID = tostring(parse_json(AdditionalFields).MemberSid)
| extend LocalGroup = AccountName
| extend LocalGroupSID = AccountSid
| extend Actor = trim(@"[^\w]+",InitiatingProcessAccountName)
| where LocalGroupSID contains "S-1-5-32-544"
