Forum Discussion

Iron Contributor

Jul 08, 2021

Solved

RE: How do you identify 'non-privileged' users...

Looking to generate a KQL query or Analytics rule to identify 'Multiple failed user logon attempts' from Windows PCs only and the user is classified as 'non-privileged'. Just looking for the most...

m_zorich
Jul 19, 2021
Hey Jason, I believe you could write the logic to query the Watchlist and only add new members but believe it would be easier to just load everyone each time, and then query your Watchlist on the same frequency as your Logic App. For example – if you add 10 members on the first run, then add 3 members and run it again 4 hours later, your Watchlist will have 23 total items (original 10, plus 13 – the original 10 again and the new 3), but if you query your Watchlist on items added in the last 4 hours it will only show 13. If you then remove 5 users and run it again 4 hours later, your watchlist will have 31 total items (original 10, then the 13 we added, then the 8 current members), but if you query your Watchlist on the last 4 hours then you will just see the current 8 members and it’s accurate.

JMSHW0420

Iron Contributor

Jul 17, 2021

Hi again m_zorich,

After speaking to the client, due to where 'privileged' users are located, and to simplify the solution a little (no reference to MS Graph for the moment), an array with known privileged access groups will be used.

The array will contain each AAD Object Group's ID, that will be 'looped' through to obtain 'member' data.

So the 'initial' Logic App design includes the following (with highlighted area still to be resolved; struggling with):

* Apply Recurrence 'pattern'
* Initialise Variable GroupIDs (array type)
* Add GroupIDs to 'array'
* Parse JSON (of GroupID)
* Of Body returned, FIRST For Each (Return 'Group Members')

* For Each (Group Member)

* //NEED TO TEST 'IF' GROUP MEMBER HAS ALREADY BEEN ADDED TO WATCHLIST
* //HOW IS IT BEST TO QUERY ON THIS? - Account below represents Group Member
* ?// _GetWatchlist('PrivilegedUsers')
* ?// | extend AccountID = tostring(parse_json(WatchlistItem).AccountID)
* ?// | where AccountID == "@{items('For_each')?['Account']}"
* //OR
* ?// let PrivilegedUsers = (_GetWatchlist('PrivilegedUsers') | project AccountID);
* ?// | where Account !in (PrivilegedUsers)
* ?// | summarize AccountFound=count() by Account

* //Apply condition statement of:
* ?//If AccountID 'LENGTH' = 0
* //OR
* ?//If AccountFound 'COUNT' = 0

* Compose (input content for WATCHLIST; being AccountID : Account)
* Apply action: Watchlists - Add a new watchlist item

So the outstanding question I have is, how can I see if the account exists in the Watchlist and only add it if it doesn’t exist?

Of the watchlist, I initially pre-created it with only the 'HEADERS' and no items.

Jason

m_zorich

Iron Contributor

Jul 19, 2021

Hey Jason, I believe you could write the logic to query the Watchlist and only add new members but believe it would be easier to just load everyone each time, and then query your Watchlist on the same frequency as your Logic App. For example – if you add 10 members on the first run, then add 3 members and run it again 4 hours later, your Watchlist will have 23 total items (original 10, plus 13 – the original 10 again and the new 3), but if you query your Watchlist on items added in the last 4 hours it will only show 13. If you then remove 5 users and run it again 4 hours later, your watchlist will have 31 total items (original 10, then the 13 we added, then the 8 current members), but if you query your Watchlist on the last 4 hours then you will just see the current 8 members and it’s accurate.

JMSHW0420
Iron Contributor
Jul 29, 2021
I hope you don't mind me asking m_zorich, but one other thing; of 'Non-Privileged' users RETURNED, is there a way to check through 'logs', the “threshold” for the multiple failed logon activity from an in alerting policy defined within MCAS?