Monitoring specific list of users, belonging to an AD group

%3CLINGO-SUB%20id%3D%22lingo-sub-2760325%22%20slang%3D%22en-US%22%3EMonitoring%20specific%20list%20of%20users%2C%20belonging%20to%20an%20AD%20group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2760325%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20everyone!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20list%20of%20users%20that%20I%20would%20like%20to%20use%20for%20additional%20monitoring.%20We%20could%20say%20these%20are%20%22high%20risk%22%20users.%20These%20users%20belong%20to%20specific%20AD%20groups%20(more%20than%20one).%20We%20are%20currently%20getting%20logs%20from%20our%20on%20prem%20domain%20controllers.%20These%20logs%20are%20within%20the%20%22SecurityEvent%22%20table.%20I'm%20trying%20to%20create%20multiple%20alerts%20specific%20to%20these%20users%2C%20such%20as%20these%20users%20being%20added%20to%20new%20security%20groups.%20I'm%20trying%20to%20come%20up%20with%20a%20query%20to%20do%20this%20but%20so%20far%20no%20luck.%20I%20have%20tried%20using%20the%20%22join%22%20or%20%22union%22%20operators%20to%20combine%20SecurityEvents%20and%20IdentityInfo%20tables%20so%20once%20an%20group%20addition%20event%20(4728%20for%20example)%26nbsp%3B%20is%20found%20in%20SecurityEvent%20table%2C%20it%20would%20look%20into%20IdentityInfo%20table%20to%20see%20if%20this%20user%20is%20part%20of%20the%20said%20groups%20(AD%20risk%20groups)%2C%20if%20it%20is%20then%20alert%20is%20triggered.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20was%20my%20idea%20but%20I%20am%20unable%20to%20get%20my%20query%20working.%20Am%20I%20on%20the%20right%20track%3F%20or%20would%20you%20have%20done%20it%20in%20a%20different%20way%3F%20I%20have%20come%20up%20with%20many%20different%20queries%20(that%20do%20not%20work)%20but%20see%20below%20for%20what%20I'm%20trying%20to%20achieve%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powerquery%22%3E%3CCODE%3Elet%20HIGHRISKGROUPS%3D%20dynamic(%5B%22TEAM1%22%2C%20%22TEAM2%22%2C%20%22TEAM3%22%2C%20%22TEAM4%22%2C%20%22TEAM_5%22%5D)%3B%0ASecurityEvent%0A%7C%20union%20IdentityInfo%0A%7C%20where%20EventID%20%3D%3D%204728%0A%7C%20where%20GroupMembership%20in%20(HIGHRISKGROUPS)%20%5C%5C%20this%20is%20from%20the%20IdentityInfo%20table%20but%20obviously%20I'm%20not%20sure%20how%20to%20correlate%20the%20user%20with%20group%20%20%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20guessing%20the%20query%20does%20not%20make%20sense%20but%20that%20is%20my%20struggle%20at%20the%20moment.%26nbsp%3B%20Also%2C%20any%20ideas%20of%20how%20else%20would%20you%20monitor%20these%20users%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eapplicable%20log%20sources%3A%3C%2FP%3E%3CP%3EAzureActivity%3C%2FP%3E%3CP%3ESecurityEvent%3C%2FP%3E%3CP%3EIdentityInfo%3C%2FP%3E%3CP%3EAzureActiveDirectory%20(%3C%2FP%3E%3CUL%20class%3D%22%22%3E%3CLI%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22%22%3ESigninLogs%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22%22%3EAuditLogs%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3EAADNonInteractiveUserSignInLogs%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22%22%3EAADServicePrincipalSignInLogs%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22%22%3EAADManagedIdentitySignInLogs%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3EAADProvisioningLogs%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2760572%22%20slang%3D%22en-US%22%3ERe%3A%20Monitoring%20specific%20list%20of%20users%2C%20belonging%20to%20an%20AD%20group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2760572%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1064224%22%20target%3D%22_blank%22%3E%40Ciyaresh%3C%2FA%3E%26nbsp%3BI%20would%20suggest%20using%20a%20Watchlist%20(perhaps%20based%20off%20of%20the%20VIP%20watchlist%20Template)%20to%20store%20your%20users%20or%20groups.%26nbsp%3B%20It%20will%20be%20much%20easier%20to%20update%20this%20than%20trying%20to%20update%20all%20the%20rules%20you%20created%20with%20the%20list%20of%20them%20in%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThen%20the%20rest%20of%20your%20code%20should%20work%20better.%26nbsp%3B%20The%20dynamic%20will%20create%20an%20array%20rather%20than%20a%20table%20while%20if%20you%20use%20a%20Watchlist%20it%20will%20be%20returned%20as%20a%20table%20with%20the%20added%20bonus%20of%20being%20able%20to%20add%20columns%20to%20hold%20additional%20information.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2766150%22%20slang%3D%22en-US%22%3ERe%3A%20Monitoring%20specific%20list%20of%20users%2C%20belonging%20to%20an%20AD%20group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2766150%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1064224%22%20target%3D%22_blank%22%3E%40Ciyaresh%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20had%20a%20somewhat%20similar%20problem%20where%20i%20wanted%20to%20create%20a%20query%20for%20alerting%20on%20brute-force%20attempts%20against%20users%20in%20specific%20%22high%20risk%20groups%22.%20A%20user%20then%20came%20up%20with%20this%20solution%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Flearnsentinel.blog%2F2021%2F07%2F04%2Fenrich-hunting-with-data-from-ms-graph-and-azure-ad%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flearnsentinel.blog%2F2021%2F07%2F04%2Fenrich-hunting-with-data-from-ms-graph-and-azure-ad%2F%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20way%20you%20can%20have%20a%20updated%20table%20of%20the%20high%20risk%20users%20from%20our%20AD%2C%20then%20you%20can%20join%20other%20tables%20to%20cross%20reference%20activity%20regarding%20changes%20to%20group%20membership.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2774549%22%20slang%3D%22en-US%22%3ERe%3A%20Monitoring%20specific%20list%20of%20users%2C%20belonging%20to%20an%20AD%20group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2774549%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F819982%22%20target%3D%22_blank%22%3E%40stianhoydal%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20so%20much%2C%20I%20was%20able%20to%20push%20the%20high%20risk%20users%20to%20sentinel%20logs%20with%20a%20playbook%20following%20your%20method.%20However...%20excuse%20my%20ignorance%20but%20the%20last%20query%20you%20are%20running..%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3Elet%20Alert%3D%0ASigninLogs%0A%7C%20where%20UserPrincipalName%20contains%20%22username%22%0A%7C%20where%20ResultType%20%3D%3D%20%2250158%22%0A%7C%20take%201%3B%0Alet%20HighRiskUser%3D%0AHighRiskUsers_CL%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(24h)%0A%7C%20extend%20UserPrincipalName%20%3D%20UserPrincipalName_s%0A%7C%20project%20TimeGenerated%2C%20UserPrincipalName%2C%20AADObjectID_g%0A%3B%0AAlert%0A%7C%20join%20kind%3Dinner%20HighRiskUser%20on%20UserPrincipalName%0A%7C%20project%20TimeGenerated%2C%20ResultType%2C%20UserPrincipalName%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethis%20query%20works%20only%20if%20we%20replace%20%22username%22%20with%20an%20actual%20username.%20But%20wasnt%20the%20whole%20point%20of%20this%20to%20not%20enter%20usernames%20manually%3F%20what%20am%20I%20missing%20here.%20FYI%20I%20am%20just%20a%20beginner%20at%20KQL%20and%20still%20not%20familiar%20with%20most%20operators%2C%20including%20join%2Funion.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2775054%22%20slang%3D%22en-US%22%3ERe%3A%20Monitoring%20specific%20list%20of%20users%2C%20belonging%20to%20an%20AD%20group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2775054%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1064224%22%20target%3D%22_blank%22%3E%40Ciyaresh%3C%2FA%3E%26nbsp%3B%20Ah%2C%20well%20that%20is%20because%20the%20query%20you%20found%20in%20the%20link%20was%20made%20by%20the%20original%20creator%2C%20it%20is%20more%20of%20a%20test%20to%20see%20that%20it%20works.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20probably%20do%20something%20like%20this%3B%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3Elet%20HighriskUsers%20%3D%20HighRiskUsers_CL%0A%7C%20distinct%20UserPrincipalName_s%3B%0ASecurityEvent%0A%7C%20where%20TargetAccount%20in%20(HighriskUsers)%0A%7C%20where%20EventID%20%3D%3D%20%224624%22%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3BJust%20make%20sure%20the%20custom%20log%20table%20usernames%20match%20with%20the%20SecurityEvent%20TargetAccount%20regarding%20upper%2Flower%20case.%20You%20can%20use%20the%20toupper%2Ftolower%20function%20to%20make%20sure%20they%20match%20if%20they%20are%20not%20by%20default.%20I%20use%20the%20distinct%20operation%20to%20make%20sure%20i%20dont%20get%20duplicate%20values%20from%20the%20custom%20table.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2776334%22%20slang%3D%22en-US%22%3ERe%3A%20Monitoring%20specific%20list%20of%20users%2C%20belonging%20to%20an%20AD%20group%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2776334%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F819982%22%20target%3D%22_blank%22%3E%40stianhoydal%3C%2FA%3E%26nbsp%3BThank%20you%2C%20now%20I%20get%20it%20fully.%20works%20as%20you%20described!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello everyone!

 

I have list of users that I would like to use for additional monitoring. We could say these are "high risk" users. These users belong to specific AD groups (more than one). We are currently getting logs from our on prem domain controllers. These logs are within the "SecurityEvent" table. I'm trying to create multiple alerts specific to these users, such as these users being added to new security groups. I'm trying to come up with a query to do this but so far no luck. I have tried using the "join" or "union" operators to combine SecurityEvents and IdentityInfo tables so once an group addition event (4728 for example)  is found in SecurityEvent table, it would look into IdentityInfo table to see if this user is part of the said groups (AD risk groups), if it is then alert is triggered. 

 

This was my idea but I am unable to get my query working. Am I on the right track? or would you have done it in a different way? I have come up with many different queries (that do not work) but see below for what I'm trying to achieve 

 

 

 

let HIGHRISKGROUPS= dynamic(["TEAM1", "TEAM2", "TEAM3", "TEAM4", "TEAM_5"]);
SecurityEvent
| union IdentityInfo
| where EventID == 4728
| where GroupMembership in (HIGHRISKGROUPS) \\ this is from the IdentityInfo table but obviously I'm not sure how to correlate the user with group  

 

 

 

I'm guessing the query does not make sense but that is my struggle at the moment.  Also, any ideas of how else would you monitor these users?

 

applicable log sources:

AzureActivity

SecurityEvent

IdentityInfo

AzureActiveDirectory (

  • SigninLogs
    AuditLogs
    AADNonInteractiveUserSignInLogs
    AADServicePrincipalSignInLogs
    AADManagedIdentitySignInLogs
    AADProvisioningLogs

 

5 Replies

@Ciyaresh I would suggest using a Watchlist (perhaps based off of the VIP watchlist Template) to store your users or groups.  It will be much easier to update this than trying to update all the rules you created with the list of them in it.

 

Then the rest of your code should work better.  The dynamic will create an array rather than a table while if you use a Watchlist it will be returned as a table with the added bonus of being able to add columns to hold additional information.

@Ciyaresh 

I had a somewhat similar problem where i wanted to create a query for alerting on brute-force attempts against users in specific "high risk groups". A user then came up with this solution:
https://learnsentinel.blog/2021/07/04/enrich-hunting-with-data-from-ms-graph-and-azure-ad/ 

This way you can have a updated table of the high risk users from our AD, then you can join other tables to cross reference activity regarding changes to group membership. 

@stianhoydal 

 

Thank you so much, I was able to push the high risk users to sentinel logs with a playbook following your method. However... excuse my ignorance but the last query you are running..

 

let Alert=
SigninLogs
| where UserPrincipalName contains "username"
| where ResultType == "50158"
| take 1;
let HighRiskUser=
HighRiskUsers_CL
| where TimeGenerated > ago(24h)
| extend UserPrincipalName = UserPrincipalName_s
| project TimeGenerated, UserPrincipalName, AADObjectID_g
;
Alert
| join kind=inner HighRiskUser on UserPrincipalName
| project TimeGenerated, ResultType, UserPrincipalName

 

this query works only if we replace "username" with an actual username. But wasnt the whole point of this to not enter usernames manually? what am I missing here. FYI I am just a beginner at KQL and still not familiar with most operators, including join/union. 

 

@Ciyaresh  Ah, well that is because the query you found in the link was made by the original creator, it is more of a test to see that it works. 

I would probably do something like this; 

let HighriskUsers = HighRiskUsers_CL
| distinct UserPrincipalName_s;
SecurityEvent
| where TargetAccount in (HighriskUsers)
| where EventID == "4624"

 Just make sure the custom log table usernames match with the SecurityEvent TargetAccount regarding upper/lower case. You can use the toupper/tolower function to make sure they match if they are not by default. I use the distinct operation to make sure i dont get duplicate values from the custom table. 

@stianhoydal Thank you, now I get it fully. works as you described!