Manage account exclusions starting with *** with a Watchlist

Question

I would like to make a rule that will check if a user is a privileged account or not. To do this, there's a watchlist with account name templates (e.g. adm.;aadz-;kaadmin;t0_). The final aim is to check from the watchlist whether the user's name begins with the name entered in the watchlist, or whether the name is the one entered directly.

let Tiering = _GetWatchlist('AccountInfo')
| mv-expand Priv = split(tostring(['PrivAccount-Startwith']), ';')
| project Priv;
SecurityEvent
| where EventID == 4624 and LogonType == 10
| extend AccountName = tolower(tostring(split(Account, @"\")[1]))
| where not(AccountName startswith toscalar(Tiering))
| project-reorder TimeGenerated, AccountName

Answer 1

Rather than using starts_with operator when checking the account name of security events with watchlist account information details, I would suggest you use has_any operator available in KQL which,

Filters a record set for data with any set of case-insensitive strings.

Detailed query is given below:

let Tiering = _GetWatchlist('watch')
| mv-expand Priv = split(tostring(['PrivAccount-Startwith']), ';')
| project Priv;
SecurityEvent
| where EventID == 4624 and LogonType == 10
| extend AccountName = tolower(tostring(split(Account, @"\")[1]))
| where not(AccountName has_any ((Tiering | project Priv)))
| project-reorder TimeGenerated, AccountName

As I do not have any security events triggered in my environment, it showed me no results in the output but without any error. I have retrieved the watchlist from Microsoft Sentinel workspace as shown below for reference.

References: Project-reorder operator, Check MSDoc on how to use has_any operator with few examples.