Query for a User Management Activity

Question

Hi All,&nbsp;&nbsp;I wanted to write a KQL query for the following scenario:&nbsp;A user "X" is created, "X" is added to a security enabled group. Then X is deleted or X deletes some other account.&nbsp;&nbsp;I have written a sample query, please guide me how to write the correct query&nbsp;let a=SecurityEvent| where EventID == "4720" | extend Account_Cre=TargetUserName | extend Account_Final= tostring(Account_Cre)| project Account_Final, Activity , SubjectUserName | join kind= inner (SecurityEvent| where EventID == "4728" or EventID == "4732" | extend Account_Finally= extract_all(@"(=)(.*)(,CN=)", dynamic([2]),MemberName )| extend Account_Cre=Account_Finally[0][0]| extend Account_Final= tostring(Account_Cre) | where Account_Final !=""| project Account_Final , Activity, SubjectUserName ) on Account_Final ;let b= a | join kind= inner (SecurityEvent |where EventID == "4726" |extend Account_Final = TargetUserName ) on Account_Final;let c= a | join kind= inner (SecurityEvent |where EventID == "4726" | extend Account_Final =SubjectUserName ) on Account_Final;&nbsp;CliveWatson&nbsp;Ofer_Shezaf&nbsp;b | union c

clivewatson · Answer

Hi kmanish&nbsp;
&nbsp;
Have you looked at the samples in the Sentinel GitHub, this example is similar in structure to your request (and has an adjustable time window [10mins] as well, which could be useful).&nbsp;&nbsp;
&nbsp;
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountCreatedDeleted_10m.yaml

Forum Discussion

Query for a User Management Activity

Share

Resources