Forum Discussion
Singanna
Jul 26, 2021Copper Contributor
Active Directory logs in AuditLog table
Hi,
I have an on-prem AD which is streaming the logs into Azure Sentinel. I need to monitor couple of groups in the on-Prem AD , for activities like User Added or deleted. For this I am checking AuditLogs table in Sentinel. But I could not find these details in the table.
I am trying to find these details with the below parameters without any success.
OperationName = "Import"
TargetResources contains<DirectoryName>(As I have added a new user to the Directory , I am checking with the directory first, before I dig deep)
Could you please advise if this is not the correct approach
Thanks
- Hi Singanna,
Did you try to run a query within Log Analytics to see the results? You could use the below command, for example, to show the members that are added to a security group.
search *
// Members added to security groups
// Who was added to security-enabled group over the last day?
// To create an alert for this query, click '+ New alert rule'
SecurityEvent
| where EventID in (4728, 4732, 4756) // these event IDs indicate a member was added to a security-enabled group
| summarize count() by SubjectAccount, Computer, _ResourceId
// This query requires the Security solution
- BilalelHaddIron ContributorHi Singanna,
Did you try to run a query within Log Analytics to see the results? You could use the below command, for example, to show the members that are added to a security group.
search *
// Members added to security groups
// Who was added to security-enabled group over the last day?
// To create an alert for this query, click '+ New alert rule'
SecurityEvent
| where EventID in (4728, 4732, 4756) // these event IDs indicate a member was added to a security-enabled group
| summarize count() by SubjectAccount, Computer, _ResourceId
// This query requires the Security solution- SingannaCopper ContributorThanks Bilal for the response.