User Added to Local Administrators Group XQL Query

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

User Added to Local Administrators Group XQL Query

L2 Linker

Hi Family , 
I want to create a Cortex XDR query that generates an alert when a user creates a local account and adds it to the administrators group.


dataset = xdr_data
|filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id in (4732, 4728)

here i attached an reference link  
GitHub - ItamarSafri/CortexXDR-XQL: Cortex XDR XQL Queries

Thank You. 
Cortex XDR Endpoint Protection 

2 REPLIES 2

L6 Presenter

Hello @Prashanta ,

You can refer to below query which gives more details and reduces noise. Create correlation rule to generate an alert.

// Use the XDR Event Log preset
preset = xdr_event_log

// Filter for Event ID 4732: Member added to security-enabled local group
| filter action_evtlog_event_id = 4732
| filter action_evtlog_data_fields contains "Administrators"

// Extract and rename useful fields
| alter
ProvisionerSid = action_evtlog_data_fields -> SubjectUserSid,
ProvisionerUserName = action_evtlog_data_fields -> SubjectUserName,
ProvisionerDomain = action_evtlog_data_fields -> SubjectDomainName,
SidOfUser = action_evtlog_data_fields -> MemberSid,
LocalGroupName = action_evtlog_data_fields -> TargetUserName,
LocalDomainName = action_evtlog_data_fields -> TargetDomainName,
LocalGroupSid = action_evtlog_data_fields -> TargetSid

// Filter out system-generated events (e.g., SYSTEM account)
// Comment this out if you want to inspect all activity
| filter ProvisionerSid != "S-1-5-18"

// Keep only relevant fields for clarity
| fields agent_hostname, ProvisionerSid, ProvisionerUserName, ProvisionerDomain,
LocalGroupName, LocalDomainName, LocalGroupSid, SidOfUser,
_time as UserAddedToAdmin_Timestamp

// Join with host inventory for resolving SID-to-username outside retention
| join type = left conflict_strategy = left (
preset = host_inventory_users
| fields name, sid
) as host_inv SidOfUser = host_inv.sid

// Optional: Join with Event ID 4720 (user created) within the last 24h
| join type = left conflict_strategy = left (
preset = xdr_event_log
| filter action_evtlog_event_id = 4720
| alter
NewUserSid = action_evtlog_data_fields -> TargetSid,
NewUserName = action_evtlog_data_fields -> SamAccountName,
UserAdded_Timestamp = _time
| fields NewUserSid, NewUserName, UserAdded_Timestamp
) as NewUser_Added SidOfUser = NewUser_Added.NewUserSid

// Deduplicate on key fields to avoid repeated entries
| dedup agent_hostname, ProvisionerSid, ProvisionerUserName, ProvisionerDomain,
LocalGroupName, LocalDomainName, LocalGroupSid, SidOfUser

// Final tidy fields
| fields _time, agent_hostname, ProvisionerSid, ProvisionerDomain, ProvisionerUserName,
UserAdded_Timestamp, UserAddedToAdmin_Timestamp, SidOfUser, LocalGroupSid,
LocalDomainName, LocalGroupName, NewUserName, name

 

If you feel this has answered your query, please let us know by clicking like and  on "mark this as a Solution". Thank you.

Ashutosh Patil

Thanks , 



I want to show all local users who are members of the Administrators group, excluding users named test1 and test2. 
note :  The users test1 and test2 were previously added to the Administrators group. so, i want to exclude. 

Thank you 

  • 340 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!