Forum Discussion
Solved
Create query with "where" clause that targets multiple accounts.
I would like to query multiple account's for the same event ID. I tried the syntax below, and it doesn't give me a syntax error, but when I test it there are no results. SecurityEvent | where Ev...
I assume that you only need to have the the or statement in the same line with the where clause and it should work.
However, I would prefer the following approach:datatable (EventID:int, TargetAccount:string)[4723, "Domain\\Administrator",4711, "Domain\\Administrator",4711, "Domain\\ServiceAccount",4724, "Domain\\ServiceAccount",4723, "Domain\\ServiceAccount",4724, "foo.bar",]| where EventID in (4723, 4724)| where TargetAccount in ("Domain\\Administrator","Domain\\ServiceAccount")
I assume that you only need to have the the or statement in the same line with the where clause and it should work.
However, I would prefer the following approach:
datatable (EventID:int, TargetAccount:string)
[
4723, "Domain\\Administrator",
4711, "Domain\\Administrator",
4711, "Domain\\ServiceAccount",
4724, "Domain\\ServiceAccount",
4723, "Domain\\ServiceAccount",
4724, "foo.bar",
]
| where EventID in (4723, 4724)
| where TargetAccount in ("Domain\\Administrator","Domain\\ServiceAccount")
I've tried using "or" on the same line but it still doesn't work.
Can you explain the following part a little further?
datatable (EventID:int, TargetAccount:string)
[
4723, "Domain\\Administrator",
4711, "Domain\\Administrator",
4711, "Domain\\ServiceAccount",
4724, "Domain\\ServiceAccount",
4723, "Domain\\ServiceAccount",
4724, "foo.bar",
Do you use this in conjunction with the "where" statements at the end? Or is it just another way to word it to get the same result?
For example, will this:
SecurityEvent (EventID:int, TargetAccount:string)
[
4723, "Domain\\Administrator",
4724, "Domain\\ServiceAccount",
]
Return the same results as this:
SecurityEvent
| where EventID in (4723, 4724)
| where TargetAccount in ("Domain\\Administrator","Domain\\ServiceAccount")