Occasional Contributor

Hello everyone!

 

I have list of users that I would like to use for additional monitoring. We could say these are "high risk" users. These users belong to specific AD groups (more than one). We are currently getting logs from our on prem domain controllers. These logs are within the "SecurityEvent" table. I'm trying to create multiple alerts specific to these users, such as these users being added to new security groups. I'm trying to come up with a query to do this but so far no luck. I have tried using the "join" or "union" operators to combine SecurityEvents and IdentityInfo tables so once an group addition event (4728 for example)  is found in SecurityEvent table, it would look into IdentityInfo table to see if this user is part of the said groups (AD risk groups), if it is then alert is triggered. 

 

This was my idea but I am unable to get my query working. Am I on the right track? or would you have done it in a different way? I have come up with many different queries (that do not work) but see below for what I'm trying to achieve 

 

 

 

let HIGHRISKGROUPS= dynamic(["TEAM1", "TEAM2", "TEAM3", "TEAM4", "TEAM_5"]);
SecurityEvent
| union IdentityInfo
| where EventID == 4728
| where GroupMembership in (HIGHRISKGROUPS) \\ this is from the IdentityInfo table but obviously I'm not sure how to correlate the user with group  

 

 

 

I'm guessing the query does not make sense but that is my struggle at the moment.  Also, any ideas of how else would you monitor these users?

 

applicable log sources:

AzureActivity

SecurityEvent

IdentityInfo

AzureActiveDirectory (

  • SigninLogs
    AuditLogs
    AADNonInteractiveUserSignInLogs
    AADServicePrincipalSignInLogs
    AADManagedIdentitySignInLogs
    AADProvisioningLogs

 

www.000webhost.com