Query for a User Management Activity

Occasional Contributor

Hi All, 


I wanted to write a KQL query for the following scenario:


A user "X" is created, "X" is added to a security enabled group. Then X is deleted or X deletes some other account. 


I have written a sample query, please guide me how to write the correct query


let a=SecurityEvent
| where EventID == "4720" | extend Account_Cre=TargetUserName
| extend Account_Final= tostring(Account_Cre)
| project Account_Final, Activity , SubjectUserName
| join kind= inner (
| where EventID == "4728" or EventID == "4732" | extend Account_Finally= extract_all(@"(=)(.*)(,CN=)", dynamic([2]),MemberName )
| extend Account_Cre=Account_Finally[0][0]
| extend Account_Final= tostring(Account_Cre) | where Account_Final !=""
| project Account_Final , Activity, SubjectUserName
) on Account_Final ;

let b= a | join kind= inner (SecurityEvent |where EventID == "4726" |
extend Account_Final = TargetUserName ) on Account_Final;
let c= a | join kind= inner (SecurityEvent |where EventID == "4726" |
extend Account_Final =SubjectUserName ) on Account_Final;

b | union c
1 Reply

Hi @kmanish 


Have you looked at the samples in the Sentinel GitHub, this example is similar in structure to your request (and has an adjustable time window [10mins] as well, which could be useful).