Hello team,
I need help to build a LEOQL query, I want to alert users who are part of the domain admin group at any time of the day and for users who are part of the domain admin group outside of normal hours. I’m trying but nothing works, can anyone shed some light or suggestions?
where(
source_json.eventCode,
source_json.System.EventID
= “4724”
OR
source_data
ICONTAINS-ANY [
" 4724 ",
“\t4724\t”
]
AND (
target_user_domain = “Domain Admins”
OR (
target_user_domain != “Domain Admins”
AND
where (timestamp=\d{4}-(0[1-9]|1[0-2])T(19|20|21|22|23|00|01|02|03|04|05|06):[0-5][0-9]:[0-5][0-9])
AFAIK there is no attribute in the log that contains group membership information. It seems you’re looking for group information in target_user_domain, but that field just contains your AD domain.
I’ve faced a similar issue of trying to filter logs by group membership of a user. What I did was export the usernames of members of a group and store them in a variable, then do a “where account in [${variable}]”
Hello aware,
You’re right, do you have any query that has timestamp? I’m creating this one and I’m going to start using the variable to create custom rules too.