Forum Discussion
Watchlist regular
Hi, all! Help my pleass. I'm trying to make a rule that will detect users when they are added to critical groups. The list of critical groups contains Watchlist. The problem is that the log co...
GaryBushey
let CriticalGroups = (_GetWatchlist('CriticalGroup') | project Name);
workspace("").WindowsEvent
| where EventID in (4732, 4728, 4746, 4751, 4756, 4761, 4787, 4785)
| where EventData.SubjectUserSid <> "S-1-5-18"
| extend Group = tostring(EventData.MemberName)
| where Group matches regex (CriticalGroups)
| limit 100
'where' operator: Failed to resolve scalar expression named 'CriticalGroups' If the issue persists, please open a support ticket. Request id: 12cc72e8-15b0-4c17-aea3-466767b12a84
I suppose a particular function cannot be used in this way. what to do? Tell me please!
OK. I misunderstood what you were looking for. You just need to do a join on UPS (in the original posting)
| join (UPS) on $left.Group == $right.Name
(or something very close to that)