Query Details
Security Event Account Created By Unexpected Account
Query
let _MonitoredDomains = toscalar(
_GetWatchlist("Activity-ExpectedSignificantActivity")
| where Activity == "ADDomain"
| summarize make_list(Auxiliar)
);
let _AccountOperators = toscalar(
_GetWatchlist("Activity-ExpectedSignificantActivity")
| where Activity == "AccountOperator"
| summarize make_list(ActorPrincipalName)
);
let _ExpectedCreatedAccounts = toscalar(
_GetWatchlist("Activity-ExpectedSignificantActivity")
| where Activity == "ADAccountCreation"
| summarize RegEx = strcat(@'^(', strcat_array(make_list(Auxiliar), '|'), @')$')
);
SecurityEvent
| where EventID == 4720
| where TargetDomainName in (_MonitoredDomains) and not(Account in (_AccountOperators))
| where not(strcat(SubjectAccount, ",", UserPrincipalName) matches regex _ExpectedCreatedAccounts)
| project
TimeGenerated,
Computer,
Account,
AccountType,
Activity,
TargetAccount,
DisplayName,
UserPrincipalName,
SubjectLogonId,
EventData
Explanation
This query is looking for security events related to account creation in an Active Directory environment. It first defines lists of monitored domains, account operators, and expected created accounts based on a watchlist. It then filters SecurityEvent data based on specific criteria such as EventID, TargetDomainName, Account, and UserPrincipalName to identify any suspicious or unauthorized account creation activities. The final result includes various details about the security events that match the specified conditions.
Details
Jose Sebastián Canós
Released: March 19, 2024
Tables
_GetWatchlist
Keywords
MonitoredDomains,AccountOperators,ExpectedCreatedAccounts,SecurityEvent,EventID,TargetDomainName,Account,SubjectAccount,UserPrincipalName,SubjectLogonId,EventData
Operators
whereinnotmatches regexprojectsummarizemake_liststrcatstrcat_arraytoscalar_GetWatchlistSecurityEventEventIDTargetDomainNameUserPrincipalNameSubjectAccountTimeGeneratedComputerAccountAccountTypeActivityTargetAccountDisplayNameSubjectLogonIdEventData.