From 4b19102df374710255838bfe4e121c06eecc0371 Mon Sep 17 00:00:00 2001 From: "Ajeet Prakash (MSTIC)" Date: Mon, 16 Aug 2021 10:56:50 -0700 Subject: [PATCH] Removing Case sensitivity related to MemberName. The difference between CN= and cn= cause result disparities. --- Detections/SecurityEvent/UserAccountAdd-Removed.yaml | 6 +++--- .../SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Detections/SecurityEvent/UserAccountAdd-Removed.yaml b/Detections/SecurityEvent/UserAccountAdd-Removed.yaml index 6d3446d901..ad80796428 100644 --- a/Detections/SecurityEvent/UserAccountAdd-Removed.yaml +++ b/Detections/SecurityEvent/UserAccountAdd-Removed.yaml @@ -29,7 +29,7 @@ query: | // Event ID related to member addition. | where EventID in (4728, 4732,4756) | where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID - | parse EventData with * '"MemberName">' AccountAdded ",OU" * + | parse EventData with * '"MemberName">' * '=' AccountAdded ",OU" * | where isnotempty(AccountAdded) | extend GroupAddedTo = TargetUserName, AddingAccount = Account | extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, "||", GroupAddedTo, "||", AddingAccount ) @@ -39,7 +39,7 @@ query: | // Event IDs related to member removal. | where EventID in (4729,4733,4757) | where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID - | parse EventData with * '"MemberName">' AccountRemoved ",OU" * + | parse EventData with * '"MemberName">' * '=' AccountRemoved ",OU" * | where isnotempty(AccountRemoved) | extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account | extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, "||", GroupRemovedFrom, "||", RemovingAccount) @@ -60,4 +60,4 @@ entityMappings: fieldMappings: - identifier: FullName columnName: HostCustomEntity -version: 1.0.0 \ No newline at end of file +version: 1.0.1 \ No newline at end of file diff --git a/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml b/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml index f9fc53509d..ccd1ac7e94 100644 --- a/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml +++ b/Detections/SecurityEvent/UserAccountAddedToPrivlegeGroup_1h.yaml @@ -36,7 +36,7 @@ query: | | where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID // Exclude Remote Desktop Users group: S-1-5-32-555 | where TargetSid !in ("S-1-5-32-555") - | extend SimpleMemberName = tostring(split(tostring(split(MemberName, ",")[0]),"CN=")[1]) + | extend SimpleMemberName = tostring(split(tostring(split(MemberName, ",")[0]),"=")[1]) | project StartTimeUtc = TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid | extend timestamp = StartTimeUtc, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer entityMappings: @@ -48,4 +48,4 @@ entityMappings: fieldMappings: - identifier: FullName columnName: HostCustomEntity -version: 1.0.0 \ No newline at end of file +version: 1.0.1 \ No newline at end of file