Forum Discussion

Copper Contributor

Aug 04, 2022

Watchlist regular

Hi, all! Help my pleass. I'm trying to make a rule that will detect users when they are added to critical groups. The list of critical groups contains Watchlist. The problem is that the log co...

Iron Contributor

Aug 08, 2022

Dimitry36

A stupid question: this concerns users being added to Active Directory Groups?

If yes, then the table shouldn't be SecurityEvent if coming from DomainControllers?

Which would point to the code being:

let watchlist = (_GetWatchlist('test') | project GroupName);
SecurityEvent
| where EventID in (4732, 4726, 4746, 4751, 4756, 4761, 4787, 4785)
| where watchlist has TargetUserName
| summarize by MemberName, TargetUserName