Forum Discussion
Solved
Active Directory logs in AuditLog table
Hi, I have an on-prem AD which is streaming the logs into Azure Sentinel. I need to monitor couple of groups in the on-Prem AD , for activities like User Added or deleted. For this I am checking Aud...
- Hi Singanna,
Did you try to run a query within Log Analytics to see the results? You could use the below command, for example, to show the members that are added to a security group.
search *
// Members added to security groups
// Who was added to security-enabled group over the last day?
// To create an alert for this query, click '+ New alert rule'
SecurityEvent
| where EventID in (4728, 4732, 4756) // these event IDs indicate a member was added to a security-enabled group
| summarize count() by SubjectAccount, Computer, _ResourceId
// This query requires the Security solution
Hi Singanna,
Did you try to run a query within Log Analytics to see the results? You could use the below command, for example, to show the members that are added to a security group.
search *
// Members added to security groups
// Who was added to security-enabled group over the last day?
// To create an alert for this query, click '+ New alert rule'
SecurityEvent
| where EventID in (4728, 4732, 4756) // these event IDs indicate a member was added to a security-enabled group
| summarize count() by SubjectAccount, Computer, _ResourceId
// This query requires the Security solution
Did you try to run a query within Log Analytics to see the results? You could use the below command, for example, to show the members that are added to a security group.
search *
// Members added to security groups
// Who was added to security-enabled group over the last day?
// To create an alert for this query, click '+ New alert rule'
SecurityEvent
| where EventID in (4728, 4732, 4756) // these event IDs indicate a member was added to a security-enabled group
| summarize count() by SubjectAccount, Computer, _ResourceId
// This query requires the Security solution
Thanks Bilal for the response.