Security Event 4732 and 4733 is missing details

New Contributor

Sentinel gets security events 4732 and 4733, but it's missing which users/groups get added or removed from the endpoints. The security logs are not detailed when I checked the event viewer. Am I missing anything? everytime we get the alert, we have to login to the endpoints to find out who gets added or removed from/to the endpoints. Any idea why? Thank you in advanced.

 

Here is the sample of Event ID 4732 security event:

<13>Nov 02 11:34:34 10.x.x.x AgentDevice=WindowsLog AgentLogFile=Security Source=Microsoft-Windows-Security-Auditing Computer=workstation hostname User= Domain= EventID=4732 EventIDCode=4732 EventType=8 EventCategory=13826 RecordNumber=10538593 TimeGenerated=1635867256447 TimeWritten=1635867256447 Message=A member was added to a security-enabled local group. Subject: Security ID: S-1-5-21-88204983-406522694-763843282-89944 Account Name: account name Account Domain: XX Logon ID: 0x293fd47ad Member: Security ID: S-1-5-21-88214183-406521614-761143212-101127 Account Name: - Group: Security ID: Administrators Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: -

 

 

7 Replies
Yes I have it enabled. But that's not what I'm looking for. I attached the event viewer screenshot, where the member security ID (yellow highlighted) is not being forwarded to Sentinel. You can see the comparison between the Sentinel log and Event Viewer. However, the sentinel log has the Member Security ID as a SID (not the actual username/account name)

I have been running into this too and unable to find a solution, besides maybe adding automation to query the memberSID that actually is in the EventData and appending that to an email alert.

I can see the User/Group being added from the General Tab, but I do not see it in the Details view, which is probably why Sentinel doesn't see it. This also only seems to happen to local groups like Builtin\Administrators. For events related to security groups that are part of our domain I do get an actual value in the Member field.

@stevosec yes it's only happening to all local groups.

 

I have to find a way to do the automation to query the member SID. I'm still new to Microsoft Sentinel. Thank you.

Hi Henry, any updates on this issue? or work around is provided?
I'm still having the issue.

@Fatspiderman the best way is to join the membersid property from your SecurityEvent to the IdentifyInfo table to return the actual account name (requires UEBA enabled as @Clive_Watson notes)

 

SecurityEvent
| where EventID in ("4732","4733")
| where AccountType <> "Machine"
| project TimeGenerated, Activity, GroupName=TargetAccount, UserWhoAdded=Account, MemberSid
| join kind=inner(
IdentityInfo
| where TimeGenerated > ago(21d)
| summarize arg_max(TimeGenerated, *) by AccountName
)
on $left.MemberSid==$right.AccountSID
| project TimeGenerated, Activity, GroupName, UserWhoAdded, UserAdded=AccountName