User Added to Local Administrators Group XQL Query

Prashanta — Tue, 13 May 2025 05:46:14 GMT

Hi Family ,
I want to create a Cortex XDR query that generates an alert when a user creates a local account and adds it to the administrators group.

dataset = xdr_data
|filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id in (4732, 4728)

here i attached an reference link
GitHub - ItamarSafri/CortexXDR-XQL: Cortex XDR XQL Queries

Thank You.

Re: User Added to Local Administrators Group XQL Query

aspatil — Tue, 13 May 2025 06:14:24 GMT

Hello @Prashanta ,

You can refer to below query which gives more details and reduces noise. Create correlation rule to generate an alert.

// Use the XDR Event Log preset
preset = xdr_event_log

// Filter for Event ID 4732: Member added to security-enabled local group
| filter action_evtlog_event_id = 4732
| filter action_evtlog_data_fields contains "Administrators"

// Extract and rename useful fields
| alter
ProvisionerSid = action_evtlog_data_fields -> SubjectUserSid,
ProvisionerUserName = action_evtlog_data_fields -> SubjectUserName,
ProvisionerDomain = action_evtlog_data_fields -> SubjectDomainName,
SidOfUser = action_evtlog_data_fields -> MemberSid,
LocalGroupName = action_evtlog_data_fields -> TargetUserName,
LocalDomainName = action_evtlog_data_fields -> TargetDomainName,
LocalGroupSid = action_evtlog_data_fields -> TargetSid

// Filter out system-generated events (e.g., SYSTEM account)
// Comment this out if you want to inspect all activity
| filter ProvisionerSid != "S-1-5-18"

// Keep only relevant fields for clarity
| fields agent_hostname, ProvisionerSid, ProvisionerUserName, ProvisionerDomain,
LocalGroupName, LocalDomainName, LocalGroupSid, SidOfUser,
_time as UserAddedToAdmin_Timestamp

// Join with host inventory for resolving SID-to-username outside retention
| join type = left conflict_strategy = left (
preset = host_inventory_users
| fields name, sid
) as host_inv SidOfUser = host_inv.sid

// Optional: Join with Event ID 4720 (user created) within the last 24h
| join type = left conflict_strategy = left (
preset = xdr_event_log
| filter action_evtlog_event_id = 4720
| alter
NewUserSid = action_evtlog_data_fields -> TargetSid,
NewUserName = action_evtlog_data_fields -> SamAccountName,
UserAdded_Timestamp = _time
| fields NewUserSid, NewUserName, UserAdded_Timestamp
) as NewUser_Added SidOfUser = NewUser_Added.NewUserSid

// Deduplicate on key fields to avoid repeated entries
| dedup agent_hostname, ProvisionerSid, ProvisionerUserName, ProvisionerDomain,
LocalGroupName, LocalDomainName, LocalGroupSid, SidOfUser

// Final tidy fields
| fields _time, agent_hostname, ProvisionerSid, ProvisionerDomain, ProvisionerUserName,
UserAdded_Timestamp, UserAddedToAdmin_Timestamp, SidOfUser, LocalGroupSid,
LocalDomainName, LocalGroupName, NewUserName, name

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.

Re: User Added to Local Administrators Group XQL Query

Prashanta — Tue, 13 May 2025 07:50:06 GMT

Thanks ,

I want to show all local users who are members of the Administrators group, excluding users named test1 and test2. note : The users test1 and test2 were previously added to the Administrators group. so, i want to exclude. Thank you

topic Re: User Added to Local Administrators Group XQL Query in Cortex XDR Discussions

User Added to Local Administrators Group XQL Query

Re: User Added to Local Administrators Group XQL Query

Re: User Added to Local Administrators Group XQL Query