Forum Discussion
Monitoring specific list of users, belonging to an AD group
Hello everyone! I have list of users that I would like to use for additional monitoring. We could say these are "high risk" users. These users belong to specific AD groups (more than one). We are...
Ciyaresh Ah, well that is because the query you found in the link was made by the original creator, it is more of a test to see that it works.
I would probably do something like this;
let HighriskUsers = HighRiskUsers_CL
| distinct UserPrincipalName_s;
SecurityEvent
| where TargetAccount in (HighriskUsers)
| where EventID == "4624"Just make sure the custom log table usernames match with the SecurityEvent TargetAccount regarding upper/lower case. You can use the toupper/tolower function to make sure they match if they are not by default. I use the distinct operation to make sure i dont get duplicate values from the custom table.
stianhoydal Thank you, now I get it fully. works as you described!