Forum Discussion

Ciyaresh's avatar
Ciyaresh
Copper Contributor
Sep 17, 2021

Monitoring specific list of users, belonging to an AD group

Hello everyone!   I have list of users that I would like to use for additional monitoring. We could say these are "high risk" users. These users belong to specific AD groups (more than one). We are...
stianhoydal's avatar
stianhoydal
Copper Contributor
Sep 20, 2021

Ciyaresh 

I had a somewhat similar problem where i wanted to create a query for alerting on brute-force attempts against users in specific "high risk groups". A user then came up with this solution:
https://learnsentinel.blog/2021/07/04/enrich-hunting-with-data-from-ms-graph-and-azure-ad/ 

This way you can have a updated table of the high risk users from our AD, then you can join other tables to cross reference activity regarding changes to group membership. 

  • Ciyaresh's avatar
    Ciyaresh
    Copper Contributor
    Sep 22, 2021

    stianhoydal 

     

    Thank you so much, I was able to push the high risk users to sentinel logs with a playbook following your method. However... excuse my ignorance but the last query you are running..

     

    let Alert=
SigninLogs
| where UserPrincipalName contains "username"
| where ResultType == "50158"
| take 1;
let HighRiskUser=
HighRiskUsers_CL
| where TimeGenerated > ago(24h)
| extend UserPrincipalName = UserPrincipalName_s
| project TimeGenerated, UserPrincipalName, AADObjectID_g
;
Alert
| join kind=inner HighRiskUser on UserPrincipalName
| project TimeGenerated, ResultType, UserPrincipalName

     

    this query works only if we replace "username" with an actual username. But wasnt the whole point of this to not enter usernames manually? what am I missing here. FYI I am just a beginner at KQL and still not familiar with most operators, including join/union. 

     

    • stianhoydal's avatar
      stianhoydal
      Copper Contributor
      Sep 22, 2021

      Ciyaresh  Ah, well that is because the query you found in the link was made by the original creator, it is more of a test to see that it works. 

      I would probably do something like this; 

      let HighriskUsers = HighRiskUsers_CL
| distinct UserPrincipalName_s;
SecurityEvent
| where TargetAccount in (HighriskUsers)
| where EventID == "4624"

       Just make sure the custom log table usernames match with the SecurityEvent TargetAccount regarding upper/lower case. You can use the toupper/tolower function to make sure they match if they are not by default. I use the distinct operation to make sure i dont get duplicate values from the custom table. 

      • Ciyaresh's avatar
        Ciyaresh
        Copper Contributor
        Sep 22, 2021

        stianhoydal Thank you, now I get it fully. works as you described!

Resources