cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Analytic rule does not tigger an incident in sentinel using watchlist

MiguelCuba
Copper Contributor

‎Oct 12 2022 07:51 AM

‎Oct 12 2022 07:51 AM

Analytic rule does not tigger an incident in sentinel using watchlist

Hello.

I have an issue with an analytic rule. This analytic read a watchlist to exclude some and show other users that remove other ones from specific groups.

 

 

 

let watchlst_ =_GetWatchlist('SS-PE-PAC-WL-Grp_Pacifico_MFA_BYOD_Users')
    | project SearchKey;
AuditLogs
| extend AccountID = tostring(parse_json(tostring(InitiatedBy.user)).id)
| extend AccountUPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| where OperationName in~ ('Remove member from group', 'Remove owner from group')
| extend oldValue_ = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].oldValue)))
| extend oldValueID_ = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0].oldValue)))
| extend newValue_ = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))
| extend newValueID_ = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0].newValue)))
| extend AccountUPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend Afectado = tostring(TargetResources[0].userPrincipalName)
| where oldValue_ in ('Grp_Pacifico_MFA_BYOD_Users', 'Grp_Office365_MFA_External_Users', 'Grp_Pacifico_Home_Office_Users', ' Grp_Pacifico_Home_Office_BYOD_Users_MAC', 'Grp_Test_Sentinel') or newValue_ in ('Grp_Pacifico_MFA_BYOD_Users', 'Grp_Office365_MFA_External_Users', 'Grp_Pacifico_Home_Office_Users', ' Grp_Pacifico_Home_Office_BYOD_Users_MAC', 'Grp_Test_Sentinel')
| join kind = inner SigninLogs on $left.AccountID == $right.UserId
| where UserId !in~ (watchlst_)
| summarize
    by
    TimeGenerated,
    AccountUPN,
    Afectado,
    CorrelationId,
    oldValue_,
    newValue_,
    oldValueID_

 

 

 

 

Output:

MiguelCuba_1-1665585843606.png

 

Everything seems working fine until you deploy a sample test and this rule is not triggering an incident in Sentinel. Evenly when you go to "View query results" at the Set rule logic menu there are not results unless you change the time range manually and this alternative is not possible because this analytic rule has a query scheduling every 7 minutes.

MiguelCuba_2-1665586176656.pngMiguelCuba_3-1665586195670.png

 

Labels:
766 Views
0 Likes
2 Replies
Reply
2 Replies
Clive_Watson

‎Oct 12 2022 08:23 AM

‎Oct 12 2022 08:23 AM

Re: Analytic rule does not tigger an incident in sentinel using watchlist

The gap between Rows in the output screenshot is larger than 7mins. So, unless you have data within that lookback period there wouldn't be an alert.

Have you increased the "lookup data from the last" field as a test to 1d or something?
0 Likes
Reply
MiguelCuba

‎Oct 12 2022 08:48 AM

‎Oct 12 2022 08:48 AM

Re: Analytic rule does not tigger an incident in sentinel using watchlist

Hi @Clive_Watson 

Yes, actually I ran a sample test more than 7 minutes before I checked the Incidents blade.

MiguelCuba_0-1665589710566.png

 

0 Likes
Reply