Forum Discussion
akshay250692
Mar 02, 2023Brass Contributor
calling AD group in analytical rule in place of watchlist
Hi Team,
can it be possible to use AD group in analytical rule in place of watchlist?
if possible then how it can be done ?
- abdul1998Copper ContributorIdentityInfo
| where GroupMembership in ""
| distinct AccountName, GroupMembership
please check this - Clive_WatsonBronze ContributorAD or AAD?
UEBA helps here...the "IdentityInfo" table, holds the GroupMemberShip:
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-identityinfo-table-is-now-in-public-preview/ba-p/2571037