Forum Discussion

Copper Contributor

Aug 04, 2022

Watchlist regular

Hi, all! Help my pleass. I'm trying to make a rule that will detect users when they are added to critical groups. The list of critical groups contains Watchlist. The problem is that the log co...

Bronze Contributor

Aug 04, 2022

There is the "matches regex" command that may help you. https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/regex-operator

Dimitry36
Copper Contributor
Aug 05, 2022
GaryBushey
let CriticalGroups = (_GetWatchlist('CriticalGroup') | project Name);
workspace("").WindowsEvent
| where EventID in (4732, 4728, 4746, 4751, 4756, 4761, 4787, 4785)
| where EventData.SubjectUserSid <> "S-1-5-18"
| extend Group = tostring(EventData.MemberName)
| where Group matches regex (CriticalGroups)
| limit 100

'where' operator: Failed to resolve scalar expression named 'CriticalGroups' If the issue persists, please open a support ticket. Request id: 12cc72e8-15b0-4c17-aea3-466767b12a84

I suppose a particular function cannot be used in this way. what to do? Tell me please!
- GaryBushey
  Bronze Contributor
  Aug 05, 2022
  Dimitry36
  OK. I misunderstood what you were looking for. You just need to do a join on UPS (in the original posting)
  
  | join (UPS) on $left.Group == $right.Name
  
  (or something very close to that)
  - Dimitry36
    Copper Contributor
    Aug 08, 2022
    GaryBushey
    test request. added the word Windows
    
    We make a request for events and check if the required word is in the specified field
    add comparison function
    
    I understand that the value must be exact. In my task, the value is not complete.
    How else can you solve this problem?

Resources