Oct 12 2022 07:51 AM
Hello.
I have an issue with an analytic rule. This analytic read a watchlist to exclude some and show other users that remove other ones from specific groups.
let watchlst_ =_GetWatchlist('SS-PE-PAC-WL-Grp_Pacifico_MFA_BYOD_Users')
| project SearchKey;
AuditLogs
| extend AccountID = tostring(parse_json(tostring(InitiatedBy.user)).id)
| extend AccountUPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| where OperationName in~ ('Remove member from group', 'Remove owner from group')
| extend oldValue_ = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].oldValue)))
| extend oldValueID_ = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0].oldValue)))
| extend newValue_ = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))
| extend newValueID_ = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[0].newValue)))
| extend AccountUPN = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend Afectado = tostring(TargetResources[0].userPrincipalName)
| where oldValue_ in ('Grp_Pacifico_MFA_BYOD_Users', 'Grp_Office365_MFA_External_Users', 'Grp_Pacifico_Home_Office_Users', ' Grp_Pacifico_Home_Office_BYOD_Users_MAC', 'Grp_Test_Sentinel') or newValue_ in ('Grp_Pacifico_MFA_BYOD_Users', 'Grp_Office365_MFA_External_Users', 'Grp_Pacifico_Home_Office_Users', ' Grp_Pacifico_Home_Office_BYOD_Users_MAC', 'Grp_Test_Sentinel')
| join kind = inner SigninLogs on $left.AccountID == $right.UserId
| where UserId !in~ (watchlst_)
| summarize
by
TimeGenerated,
AccountUPN,
Afectado,
CorrelationId,
oldValue_,
newValue_,
oldValueID_
Output:
Everything seems working fine until you deploy a sample test and this rule is not triggering an incident in Sentinel. Evenly when you go to "View query results" at the Set rule logic menu there are not results unless you change the time range manually and this alternative is not possible because this analytic rule has a query scheduling every 7 minutes.
Oct 12 2022 08:23 AM
Oct 12 2022 08:48 AM
Yes, actually I ran a sample test more than 7 minutes before I checked the Incidents blade.