Forum Discussion
Fatspiderman
Dec 07, 2021Copper Contributor
Security Event 4732 and 4733 is missing details
Sentinel gets security events 4732 and 4733, but it's missing which users/groups get added or removed from the endpoints. The security logs are not detailed when I checked the event viewer. Am I miss...
Fatspiderman
Dec 27, 2021Copper Contributor
I'm still having the issue.
m_zorich
Dec 27, 2021Iron Contributor
Fatspiderman the best way is to join the membersid property from your SecurityEvent to the IdentifyInfo table to return the actual account name (requires UEBA enabled as Clive_Watson notes)
SecurityEvent
| where EventID in ("4732","4733")
| where AccountType <> "Machine"
| project TimeGenerated, Activity, GroupName=TargetAccount, UserWhoAdded=Account, MemberSid
| join kind=inner(
IdentityInfo
| where TimeGenerated > ago(21d)
| summarize arg_max(TimeGenerated, *) by AccountName
)
on $left.MemberSid==$right.AccountSID
| project TimeGenerated, Activity, GroupName, UserWhoAdded, UserAdded=AccountName