Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Watchlist regular

Copper Contributor

Hi, all!

Help my pleass.

 

I'm trying to make a rule that will detect users when they are added to critical groups. The list of critical groups contains Watchlist. 

The problem is that the log contains the full content of the AD branch. 

Dimitry36_0-1659602278243.png

 

1) the name of the group that is contained in Watchlist. 

 

let UPS =(_GetWatchlist('test') | project Group);
workspace("Sentinel").WindowsEvent
| where EventID in (4732, 4726, 4746, 4751, 4756, 4761, 4787, 4785)
| where EventData.SubjectUserSid <> "S-1-5-18"
| extend Groups = tostring(EventData.MemberName)
| where Groups in (UPS)

 

Instead of "in" you need "contain"

 

is it possible to use Watchlist as a list for regex

5 Replies
There is the "matches regex" command that may help you. https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/regex-operator

@Gary Bushey  
let CriticalGroups = (_GetWatchlist('CriticalGroup') | project Name);
workspace("").WindowsEvent
| where EventID in (4732, 4728, 4746, 4751, 4756, 4761, 4787, 4785)
| where EventData.SubjectUserSid <> "S-1-5-18"
| extend Group = tostring(EventData.MemberName)
| where Group matches regex (CriticalGroups)
| limit 100

'where' operator: Failed to resolve scalar expression named 'CriticalGroups' If the issue persists, please open a support ticket. Request id: 12cc72e8-15b0-4c17-aea3-466767b12a84


I suppose a particular function cannot be used in this way. what to do? Tell me please!

@Dimitry36 

OK. I misunderstood what you were looking for. You just need to do a join on UPS (in the original posting)

 

| join (UPS) on $left.Group == $right.Name

 

(or something very close to that)

@Gary Bushey 

test request. added the word Windows

 

Dimitry36_0-1659950664357.png

We make a request for events and check if the required word is in the specified field

Dimitry36_1-1659950844704.png

add comparison function

Dimitry36_2-1659950925426.png

I understand that the value must be exact. In my task, the value is not complete.

How else can you solve this problem?

 

 

@Dimitry36 

 

A stupid question: this concerns users being added to Active Directory Groups?

 

If yes, then the table shouldn't be SecurityEvent if coming from DomainControllers?

 

Which would point to the code being:

let watchlist = (_GetWatchlist('test') | project GroupName);
SecurityEvent
| where EventID in (4732, 4726, 4746, 4751, 4756, 4761, 4787, 4785)
| where watchlist has TargetUserName
| summarize by MemberName, TargetUserName