Aug 04 2022 01:38 AM
Hi, all!
Help my pleass.
I'm trying to make a rule that will detect users when they are added to critical groups. The list of critical groups contains Watchlist.
The problem is that the log contains the full content of the AD branch.
1) the name of the group that is contained in Watchlist.
let UPS =(_GetWatchlist('test') | project Group);
workspace("Sentinel").WindowsEvent
| where EventID in (4732, 4726, 4746, 4751, 4756, 4761, 4787, 4785)
| where EventData.SubjectUserSid <> "S-1-5-18"
| extend Groups = tostring(EventData.MemberName)
| where Groups in (UPS)
Instead of "in" you need "contain"
is it possible to use Watchlist as a list for regex
Aug 04 2022 12:02 PM
Aug 05 2022 07:24 AM
@Gary Bushey
let CriticalGroups = (_GetWatchlist('CriticalGroup') | project Name);
workspace("").WindowsEvent
| where EventID in (4732, 4728, 4746, 4751, 4756, 4761, 4787, 4785)
| where EventData.SubjectUserSid <> "S-1-5-18"
| extend Group = tostring(EventData.MemberName)
| where Group matches regex (CriticalGroups)
| limit 100
'where' operator: Failed to resolve scalar expression named 'CriticalGroups' If the issue persists, please open a support ticket. Request id: 12cc72e8-15b0-4c17-aea3-466767b12a84
I suppose a particular function cannot be used in this way. what to do? Tell me please!
Aug 05 2022 09:30 AM
OK. I misunderstood what you were looking for. You just need to do a join on UPS (in the original posting)
| join (UPS) on $left.Group == $right.Name
(or something very close to that)
Aug 08 2022 02:33 AM
test request. added the word Windows
We make a request for events and check if the required word is in the specified field
add comparison function
I understand that the value must be exact. In my task, the value is not complete.
How else can you solve this problem?
Aug 08 2022 07:53 AM
A stupid question: this concerns users being added to Active Directory Groups?
If yes, then the table shouldn't be SecurityEvent if coming from DomainControllers?
Which would point to the code being:
let watchlist = (_GetWatchlist('test') | project GroupName);
SecurityEvent
| where EventID in (4732, 4726, 4746, 4751, 4756, 4761, 4787, 4785)
| where watchlist has TargetUserName
| summarize by MemberName, TargetUserName