05-12-2025 10:46 PM
Hi Family ,
I want to create a Cortex XDR query that generates an alert when a user creates a local account and adds it to the administrators group.
dataset = xdr_data
|filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id in (4732, 4728)
here i attached an reference link
GitHub - ItamarSafri/CortexXDR-XQL: Cortex XDR XQL Queries
Thank You.
Cortex XDR Endpoint Protection
05-12-2025 11:14 PM
Hello @Prashanta ,
You can refer to below query which gives more details and reduces noise. Create correlation rule to generate an alert.
// Use the XDR Event Log preset
preset = xdr_event_log
// Filter for Event ID 4732: Member added to security-enabled local group
| filter action_evtlog_event_id = 4732
| filter action_evtlog_data_fields contains "Administrators"
// Extract and rename useful fields
| alter
ProvisionerSid = action_evtlog_data_fields -> SubjectUserSid,
ProvisionerUserName = action_evtlog_data_fields -> SubjectUserName,
ProvisionerDomain = action_evtlog_data_fields -> SubjectDomainName,
SidOfUser = action_evtlog_data_fields -> MemberSid,
LocalGroupName = action_evtlog_data_fields -> TargetUserName,
LocalDomainName = action_evtlog_data_fields -> TargetDomainName,
LocalGroupSid = action_evtlog_data_fields -> TargetSid
// Filter out system-generated events (e.g., SYSTEM account)
// Comment this out if you want to inspect all activity
| filter ProvisionerSid != "S-1-5-18"
// Keep only relevant fields for clarity
| fields agent_hostname, ProvisionerSid, ProvisionerUserName, ProvisionerDomain,
LocalGroupName, LocalDomainName, LocalGroupSid, SidOfUser,
_time as UserAddedToAdmin_Timestamp
// Join with host inventory for resolving SID-to-username outside retention
| join type = left conflict_strategy = left (
preset = host_inventory_users
| fields name, sid
) as host_inv SidOfUser = host_inv.sid
// Optional: Join with Event ID 4720 (user created) within the last 24h
| join type = left conflict_strategy = left (
preset = xdr_event_log
| filter action_evtlog_event_id = 4720
| alter
NewUserSid = action_evtlog_data_fields -> TargetSid,
NewUserName = action_evtlog_data_fields -> SamAccountName,
UserAdded_Timestamp = _time
| fields NewUserSid, NewUserName, UserAdded_Timestamp
) as NewUser_Added SidOfUser = NewUser_Added.NewUserSid
// Deduplicate on key fields to avoid repeated entries
| dedup agent_hostname, ProvisionerSid, ProvisionerUserName, ProvisionerDomain,
LocalGroupName, LocalDomainName, LocalGroupSid, SidOfUser
// Final tidy fields
| fields _time, agent_hostname, ProvisionerSid, ProvisionerDomain, ProvisionerUserName,
UserAdded_Timestamp, UserAddedToAdmin_Timestamp, SidOfUser, LocalGroupSid,
LocalDomainName, LocalGroupName, NewUserName, name
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.
05-13-2025 12:00 AM - edited 05-13-2025 12:50 AM
Thanks ,
I want to show all local users who are members of the Administrators group, excluding users named test1 and test2.
note : The users test1 and test2 were previously added to the Administrators group. so, i want to exclude.
Thank you
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
