Forum Discussion

Copper Contributor

Jan 23, 2020

Solved

Log Analytics query filter select multiple accounts

Hi, I want to setup a query and create an alert for (failed) signin attempts of multiple service accounts. I collect the signin attempts in Log Analytics and use this query to filter: SigninL...

azure monitor

Query Language

hspinto
Jan 24, 2020
marwedit, you just have to add a different condition to the query:

SigninLogs

| where OperationName == "Sign-in activity" and (UserPrincipalName in~ ('auobrien.david@outlook.com','john.doe@outlook.com','mary.jones@outlook.com') or UserPrincipalName startswith "svc_")

See here a full list of the string operators you can use.

Hope that helps!

hspinto

Microsoft

Jan 23, 2020

marwedit, would something like this be OK?

SigninLogs

| where OperationName == "Sign-in activity" and UserPrincipalName in~ ('auobrien.david@outlook.com','john.doe@outlook.com','mary.jones@outlook.com')

marwedit

Copper Contributor

Jan 24, 2020

hspinto Thanks for the reply! I tried it and it works great. Thanks! This tackles the multiple query problem since I can put multiple users in one. One more question. Do you know of a way I could enter a wildcard in the filter so new service accounts (svc_*) are automatically added? When I replace part of the username with * it just ignores it.

hspinto
Microsoft
Jan 24, 2020
marwedit, you just have to add a different condition to the query:

SigninLogs

| where OperationName == "Sign-in activity" and (UserPrincipalName in~ ('auobrien.david@outlook.com','john.doe@outlook.com','mary.jones@outlook.com') or UserPrincipalName startswith "svc_")

See here a full list of the string operators you can use.

Hope that helps!
- marwedit
  Copper Contributor
  Jan 24, 2020
  hspinto Thanks for the help and the link. This is exactly what I was looking for.