Forum Discussion
Solved
Create query with "where" clause that targets multiple accounts.
I would like to query multiple account's for the same event ID. I tried the syntax below, and it doesn't give me a syntax error, but when I test it there are no results. SecurityEvent | where Ev...
I assume that you only need to have the the or statement in the same line with the where clause and it should work.
However, I would prefer the following approach:datatable (EventID:int, TargetAccount:string)[4723, "Domain\\Administrator",4711, "Domain\\Administrator",4711, "Domain\\ServiceAccount",4724, "Domain\\ServiceAccount",4723, "Domain\\ServiceAccount",4724, "foo.bar",]| where EventID in (4723, 4724)| where TargetAccount in ("Domain\\Administrator","Domain\\ServiceAccount")
I assume that you only need to have the the or statement in the same line with the where clause and it should work.
However, I would prefer the following approach:
datatable (EventID:int, TargetAccount:string)
[
4723, "Domain\\Administrator",
4711, "Domain\\Administrator",
4711, "Domain\\ServiceAccount",
4724, "Domain\\ServiceAccount",
4723, "Domain\\ServiceAccount",
4724, "foo.bar",
]
| where EventID in (4723, 4724)
| where TargetAccount in ("Domain\\Administrator","Domain\\ServiceAccount")
Actually nevermind, I think I understand. Do you know if it's possible to target Active Directory OUs? Like for example:
SecurityEvent
| where EventID in (4723, 4724)
| where TargetOU == "CN=ServiceAccounts,OU=Company,OU=com"
This would make my life a lot easier.
Unfortunately I have no SecurityEvent entries in my workspace (we only have custom logs).
I used the datatable operator to simulate a similar input.