Query for a User Management Activity

Occasional Contributor

Hi All, 

 

I wanted to write a KQL query for the following scenario:

 

A user "X" is created, "X" is added to a security enabled group. Then X is deleted or X deletes some other account. 

 

I have written a sample query, please guide me how to write the correct query

 

let a=SecurityEvent
| where EventID == "4720" | extend Account_Cre=TargetUserName
| extend Account_Final= tostring(Account_Cre)
| project Account_Final, Activity , SubjectUserName
| join kind= inner (
SecurityEvent
| where EventID == "4728" or EventID == "4732" | extend Account_Finally= extract_all(@"(=)(.*)(,CN=)", dynamic([2]),MemberName )
| extend Account_Cre=Account_Finally[0][0]
| extend Account_Final= tostring(Account_Cre) | where Account_Final !=""
| project Account_Final , Activity, SubjectUserName
) on Account_Final ;

let b= a | join kind= inner (SecurityEvent |where EventID == "4726" |
extend Account_Final = TargetUserName ) on Account_Final;
let c= a | join kind= inner (SecurityEvent |where EventID == "4726" |
extend Account_Final =SubjectUserName ) on Account_Final;
 

b | union c
1 Reply

Hi @kmanish 

 

Have you looked at the samples in the Sentinel GitHub, this example is similar in structure to your request (and has an adjustable time window [10mins] as well, which could be useful).  

 

https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/UserAccountCreatedDelet...