Watchlists in Microsoft Sentinel allow you to correlate data from a data source you provide with the events in your Microsoft Sentinel environment. For example, you might create a watchlist with a list of high-value assets, terminated employees, or service accounts in your environment.
Microsoft Sentinel customers often ask if there is a chance to create analytic rules just for important(privileged) users such as Domain admins, Enterprise admins. “Excessive Windows logon failures”, “Multiple RDP connections from Single System” or “RDP Nesting” built-in rules can be some use-cases to track anomalies for privileged accounts.
By using watchlists, you can import on-premises AD privileged users to Microsoft Sentinel and create analytics rules based on your needs. As this operation is manual and you need to make watchlist up to date, you must add or remove watchlist items when a specific user is added or removed to specific privileged group such as domain admins.
As a solution to this, I’ve created a logic app to connect one of the on-premises server (not domain controller) with standard read-only user to gather privileged users, then update a watchlist based on this list.
Create an Automation Account from the Azure Portal
Deploy the Automation Hybrid Worker solution from the Azure Market place
Go to Automation Account menu, create a Hybrid Worker Group
In the Basics menu, I’m adding credentials (it will be used to gather privileged users from AD, since all users can read domain users properties, standard domain user is enough.)
In the Hybrid Workers menu, I’ll pick one of the windows servers which is already reporting to Sentinel enabled Log analytics workspace.
This server will be the responsible to gather privileged users from AD. To do this operation, first of all, you need to connect this server via RDP, then run the following powershell cmdlet to run AD related cmdlets.
To create a new PowerShell Runbook navigate to your Automation Account and select the Runbooks blade. Then create a runbook,
Select PowerShell from the Runbook type menu and paste the script below in the resulting window. Click save then publish to activate the Runbook.
Get-ADUser -Filter "admincount -eq '1'" -properties sid, cn | select sid, cn | convertto-json
The most up-to-date version of this query will always be in my own GitHub repo here: https://github.com/Yaerdem/Sentinel/blob/main/Queries/GetOnPremPrivUsers.txt
You can test your runbook to check everything is working properly,
When task completes, you should see all your privileged accounts in the output. As you see in the script, you can change the script according to your need, e.g just to gather domain admins, or custom groups (SAP users, VIP users, HR users…)
Logic Apps Deployment
First of all, you need to download logic app template file as a .json format from the github URL: Sentinel/Watchlist-Add-OnPremADPrivUsersToWatchList.json at main · Yaerdem/Sentinel (github.com)
Go to Azure Portal and search for template
Load Watchlist-Add-OnPremADPrivUsersToWatchList.json file which you downloaded from Github.
Fill the parameters according to your Azure environment:
Resource Group: Name of the Resource group you want to deploy this logic app
Region: Region name for this logic app
Playbook Name: Name of the logic app
Automation Account Name: Automation account name which you created before the logic app
Log Analytics Workspace ID: Workspace ID of Sentinel Enabled Log analytics workspace
Resource Group for Automation: RG name which contains your Automation Account you created
Resource Group for Log Analytics WS: RG name which contains your Microsoft Sentinel enabled Log Analytics Workspace
Runbook Name: Runbook name which you created in Automation Account
Subscription ID: Your Subscription ID which contains your Log Analytics Workspace and automation account.
Watchlist Alias: Watchlist Alias that will be created by this logic app
Worker Group Name: Worker Group name which you created in Automation Account
After creation, you should see deployment is complete.
Fix all the connections based on your Azure environment, shown below.
Run logic app
Go to Microsoft Sentinel and see your newly created watchlist
You can use this watchlist to create your own analytic rule. I’m sharing one example to query against this watchlist to gather only privileged users’ successful logon activities.
| where EventID == 4624
| where TargetUserSid in (
| project SearchKey)
The most up-to-date version of this query will always be in my own GitHub repo here: https://github.com/Yaerdem/Sentinel/blob/main/Queries/WatchlistSearchinSecurityEvent.txt