Removing Case sensitivity related to MemberName. The difference between CN= and cn= cause result disparities.

2021-08-16 10:56:50 -07:00 · 2021-08-16 10:56:50 -07:00 · 4b19102df3
--- a/Detections/SecurityEvent/UserAccountAdd-Removed.yaml
+++ b/Detections/SecurityEvent/UserAccountAdd-Removed.yaml
@ -29,7 +29,7 @@ query: |
  // Event ID related to member addition.
  | where EventID in (4728, 4732,4756) 
  | where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID  
-  | parse EventData with * '"MemberName">' AccountAdded ",OU" * 
+  | parse EventData with * '"MemberName">' * '=' AccountAdded ",OU" *
  | where isnotempty(AccountAdded)
  | extend GroupAddedTo = TargetUserName, AddingAccount = Account 
  | extend  AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, "||", GroupAddedTo, "||", AddingAccount )
@ -39,7 +39,7 @@ query: |
  // Event IDs related to member removal.
  | where EventID in (4729,4733,4757)
  | where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID 
-  | parse EventData with * '"MemberName">' AccountRemoved ",OU" * 
+  | parse EventData with * '"MemberName">' * '=' AccountRemoved ",OU" * 
  | where isnotempty(AccountRemoved)
  | extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account
  | extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, "||", GroupRemovedFrom, "||", RemovingAccount)
@ -60,4 +60,4 @@ entityMappings:
    fieldMappings:
      - identifier: FullName
        columnName: HostCustomEntity
-version: 1.0.0
+version: 1.0.1
--- a/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml
+++ b/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml
@ -36,7 +36,7 @@ query: |
  | where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID
  // Exclude Remote Desktop Users group: S-1-5-32-555
  | where TargetSid !in ("S-1-5-32-555")
-  | extend SimpleMemberName = tostring(split(tostring(split(MemberName, ",")[0]),"CN=")[1])
+  | extend SimpleMemberName = tostring(split(tostring(split(MemberName, ",")[0]),"=")[1])
  | project StartTimeUtc = TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid
  | extend timestamp = StartTimeUtc, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer
 entityMappings:
@ -48,4 +48,4 @@ entityMappings:
    fieldMappings:
      - identifier: FullName
        columnName: HostCustomEntity
-version: 1.0.0
+version: 1.0.1