Query Details
Security Event Object Name GUID S AM Account Name
Query
// Tools like Active Directory Explorer (https://live.sysinternals.com/ADExplorer.exe) can let you check the name of an object GUID
let object_names = dynamic([]);
SecurityEvent
| where TimeGenerated > ago(14d) and EventData has_any (object_names)
| extend Auxiliar = parse_xml(EventData)["EventData"]["Data"]
| mv-apply Auxiliar on (
summarize BagToUnpack = make_bag(pack(tostring(Auxiliar["@Name"]), tostring(Auxiliar["#text"])))
)
| evaluate bag_unpack(BagToUnpack, columnsConflict="keep_source")
| extend
SamAccountName = extract(@"(?i:CN\=)([^,]+)", 1, column_ifexists("ObjectDN", "")),
ObjectGUID = tolower(trim(@"[\{\}\s]+", column_ifexists("ObjectGUID", "")))
| distinct SamAccountName, ObjectGUID
Explanation
This query is looking at security events from the past 14 days that contain specific object names. It then parses the event data and organizes it into a bag, which is a type of data structure. It then unpacks the bag and extracts the SamAccountName and ObjectGUID from the data. The SamAccountName is extracted from the ObjectDN column and the ObjectGUID is extracted from its own column. The query then removes any duplicates, leaving only unique combinations of SamAccountName and ObjectGUID.
Details
Jose Sebastián Canós
Released: September 17, 2023
Tables
SecurityEvent
Keywords
SecurityEvent,TimeGenerated,EventData,ObjectDN,ObjectGUID,SamAccountName
Operators
letdynamicSecurityEventwhereagohas_anyextendparse_xmlmv-applysummarizemake_bagpacktostringevaluatebag_unpackextractcolumn_ifexiststolowertrimdistinct.