cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Sentinel Watchlist and KQL query

Jeff Walzer
Iron Contributor

‎Oct 06 2021 05:21 AM

‎Oct 06 2021 05:21 AM

Sentinel Watchlist and KQL query

I created a Sentinel VIP user watchlist and would like to use the SecurityAlert logs

 

I have the following query:

 

SecurityAlert
| extend User_Account_ = tostring(parse_json(ExtendedProperties).["User Account"])

 

 

The VIP user watchlist uses User Principal Name as a field so how can I create an alias for the User_Account field to match the User Principal Name of the User VIP watchlist?

 

Thx 

6,373 Views
1 Like
5 Replies
Reply
5 Replies
best response confirmed by Jeff Walzer (Iron Contributor)
Gary Bushey

‎Oct 06 2021 10:20 AM

‎Oct 06 2021 10:20 AM

Solution

Re: Sentinel Watchlist and KQL query

@Jeff Walzer Is there any reason you cannot just change the extend in line 2 to use the User Principal Name like:

| extend ['User Principal Name'] = tostring(parse_json(ExtendedProperties).["User Account"])

 

If you need to keep that User_Account variable you can do

| extend ['User Principal Name'] = User_Account
1 Like
Reply
Jeff Walzer

‎Oct 07 2021 06:26 AM

‎Oct 07 2021 06:26 AM

Re: Sentinel Watchlist and KQL query

@Gary Bushey - thx for the rely

 

So I now have the following query:

 

let watchlist = (_GetWatchlist('VIP') | project 'User Principal Name');
SecurityAlert
| extend ['User Principal Name'] = tostring(parse_json(ExtendedProperties).["User Account"])
| where 'User Principal Name' in (watchlist)
| project TimeGenerated, ['User Principal Name']

But when I run the query, I still see user names that aren't part of the VIP list

 

Thx 

0 Likes
Reply
Jeff Walzer

‎Oct 07 2021 07:29 AM

‎Oct 07 2021 07:29 AM

Re: Sentinel Watchlist and KQL query

@Gary Bushey 

 

I went back to the Watchlist documentation (https://docs.microsoft.com/en-us/azure/sentinel/watchlists) and saw this:

 

JeffWalzer_0-1633616884367.png

 

With that, I went back and rewrote the query to as follows:

SecurityAlert
| lookup kind=leftouter _GetWatchlist('VIP') 
on $left.CompromisedEntity == $right.SearchKey
| project TimeGenerated, CompromisedEntity, AlertName, AlertSeverity, Description

 

and I'm still seeing the same issue in which I see users who aren't on the VIP list

0 Likes
Reply
Gary Bushey

‎Oct 08 2021 04:11 AM

‎Oct 08 2021 04:11 AM

Re: Sentinel Watchlist and KQL query

I think you want to use inner rather than leftouter. From the KQL Documentation page: leftouter is used, which means all those rows will appear in the output with null values used for the missing values of RightTable columns added by the operator.

While inner will omit the rows
2 Likes
Reply
Jeff Walzer

‎Oct 11 2021 01:59 PM

‎Oct 11 2021 01:59 PM

Re: Sentinel Watchlist and KQL query

@Gary Bushey 

 

Thx again for the reply.

 

I used this statement to alias User_Acccount_ to "User Account"

| extend User_Account_ = tostring(parse_json(ExtendedProperties).["User Account"])

 

and my final working KQL queries look like this:

let watchlist = (_GetWatchlist('VIP') | project 'User Principal Name');
SecurityAlert
| extend User_Account_ = tostring(parse_json(ExtendedProperties).["User Account"])
| where 'User Principal Name' in (watchlist)

and

//Watchlist as a variable
let watchlist = (_GetWatchlist('VIP') | project 'User Principal Name');
SigninLogs
| where 'User Principal Name' in (watchlist)
| where isnotempty(ResultDescription)
| project TimeGenerated, UserPrincipalName, ResultDescription, Identity, Location, AppDisplayName

 

0 Likes
Reply