Forum Discussion
Watchlist regular
Hi, all!
Help my pleass.
I'm trying to make a rule that will detect users when they are added to critical groups. The list of critical groups contains Watchlist.
The problem is that the log contains the full content of the AD branch.
1) the name of the group that is contained in Watchlist.
let UPS =(_GetWatchlist('test') | project Group);
workspace("Sentinel").WindowsEvent
| where EventID in (4732, 4726, 4746, 4751, 4756, 4761, 4787, 4785)
| where EventData.SubjectUserSid <> "S-1-5-18"
| extend Groups = tostring(EventData.MemberName)
| where Groups in (UPS)
Instead of "in" you need "contain"
is it possible to use Watchlist as a list for regex
- There is the "matches regex" command that may help you. https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/regex-operator
GaryBushey
let CriticalGroups = (_GetWatchlist('CriticalGroup') | project Name);
workspace("").WindowsEvent
| where EventID in (4732, 4728, 4746, 4751, 4756, 4761, 4787, 4785)
| where EventData.SubjectUserSid <> "S-1-5-18"
| extend Group = tostring(EventData.MemberName)
| where Group matches regex (CriticalGroups)
| limit 100
'where' operator: Failed to resolve scalar expression named 'CriticalGroups' If the issue persists, please open a support ticket. Request id: 12cc72e8-15b0-4c17-aea3-466767b12a84I suppose a particular function cannot be used in this way. what to do? Tell me please!
OK. I misunderstood what you were looking for. You just need to do a join on UPS (in the original posting)
| join (UPS) on $left.Group == $right.Name(or something very close to that)
A stupid question: this concerns users being added to Active Directory Groups?
If yes, then the table shouldn't be SecurityEvent if coming from DomainControllers?
Which would point to the code being:
let watchlist = (_GetWatchlist('test') | project GroupName); SecurityEvent | where EventID in (4732, 4726, 4746, 4751, 4756, 4761, 4787, 4785) | where watchlist has TargetUserName | summarize by MemberName, TargetUserName
