Dec 07 2021 09:50 AM - edited Dec 08 2021 09:22 AM
Sentinel gets security events 4732 and 4733, but it's missing which users/groups get added or removed from the endpoints. The security logs are not detailed when I checked the event viewer. Am I missing anything? everytime we get the alert, we have to login to the endpoints to find out who gets added or removed from/to the endpoints. Any idea why? Thank you in advanced.
Here is the sample of Event ID 4732 security event:
<13>Nov 02 11:34:34 10.x.x.x AgentDevice=WindowsLog AgentLogFile=Security Source=Microsoft-Windows-Security-Auditing Computer=workstation hostname User= Domain= EventID=4732 EventIDCode=4732 EventType=8 EventCategory=13826 RecordNumber=10538593 TimeGenerated=1635867256447 TimeWritten=1635867256447 Message=A member was added to a security-enabled local group. Subject: Security ID: S-1-5-21-88204983-406522694-763843282-89944 Account Name: account name Account Domain: XX Logon ID: 0x293fd47ad Member: Security ID: S-1-5-21-88214183-406521614-761143212-101127 Account Name: - Group: Security ID: Administrators Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: -
Dec 08 2021 05:46 AM
Dec 08 2021 09:25 AM
Dec 09 2021 10:21 AM - edited Dec 09 2021 11:11 AM
I have been running into this too and unable to find a solution, besides maybe adding automation to query the memberSID that actually is in the EventData and appending that to an email alert.
I can see the User/Group being added from the General Tab, but I do not see it in the Details view, which is probably why Sentinel doesn't see it. This also only seems to happen to local groups like Builtin\Administrators. For events related to security groups that are part of our domain I do get an actual value in the Member field.
Dec 10 2021 06:19 AM
@stevosec yes it's only happening to all local groups.
I have to find a way to do the automation to query the member SID. I'm still new to Microsoft Sentinel. Thank you.
Dec 16 2021 12:32 AM
Dec 27 2021 08:05 AM
Dec 27 2021 03:26 PM
@Fatspiderman the best way is to join the membersid property from your SecurityEvent to the IdentifyInfo table to return the actual account name (requires UEBA enabled as @Clive_Watson notes)
SecurityEvent
| where EventID in ("4732","4733")
| where AccountType <> "Machine"
| project TimeGenerated, Activity, GroupName=TargetAccount, UserWhoAdded=Account, MemberSid
| join kind=inner(
IdentityInfo
| where TimeGenerated > ago(21d)
| summarize arg_max(TimeGenerated, *) by AccountName
)
on $left.MemberSid==$right.AccountSID
| project TimeGenerated, Activity, GroupName, UserWhoAdded, UserAdded=AccountName