Forum Discussion

Singanna's avatar
Singanna
Copper Contributor
Jul 26, 2021

Active Directory logs in AuditLog table

Hi,

I have an on-prem AD which is streaming the logs into Azure Sentinel. I need to monitor couple of groups in the on-Prem AD , for activities like User Added or deleted. For this I am checking AuditLogs table in Sentinel. But I could not find these details in the table. 

I am trying to find these details with the below parameters without any success.

OperationName = "Import"

TargetResources contains<DirectoryName>(As I have added a new user to the Directory , I am checking with the directory first, before I dig deep)

Could you please advise if this is not the correct approach

Thanks

 

  • Hi Singanna,

    Did you try to run a query within Log Analytics to see the results? You could use the below command, for example, to show the members that are added to a security group.

    search *

    // Members added to security groups
    // Who was added to security-enabled group over the last day?
    // To create an alert for this query, click '+ New alert rule'
    SecurityEvent
    | where EventID in (4728, 4732, 4756) // these event IDs indicate a member was added to a security-enabled group
    | summarize count() by SubjectAccount, Computer, _ResourceId
    // This query requires the Security solution
  • BilalelHadd's avatar
    BilalelHadd
    Iron Contributor
    Hi Singanna,

    Did you try to run a query within Log Analytics to see the results? You could use the below command, for example, to show the members that are added to a security group.

    search *

    // Members added to security groups
    // Who was added to security-enabled group over the last day?
    // To create an alert for this query, click '+ New alert rule'
    SecurityEvent
    | where EventID in (4728, 4732, 4756) // these event IDs indicate a member was added to a security-enabled group
    | summarize count() by SubjectAccount, Computer, _ResourceId
    // This query requires the Security solution

Resources