Forum Discussion
Monitoring specific list of users, belonging to an AD group
Thank you so much, I was able to push the high risk users to sentinel logs with a playbook following your method. However... excuse my ignorance but the last query you are running..
let Alert=
SigninLogs
| where UserPrincipalName contains "username"
| where ResultType == "50158"
| take 1;
let HighRiskUser=
HighRiskUsers_CL
| where TimeGenerated > ago(24h)
| extend UserPrincipalName = UserPrincipalName_s
| project TimeGenerated, UserPrincipalName, AADObjectID_g
;
Alert
| join kind=inner HighRiskUser on UserPrincipalName
| project TimeGenerated, ResultType, UserPrincipalName
this query works only if we replace "username" with an actual username. But wasnt the whole point of this to not enter usernames manually? what am I missing here. FYI I am just a beginner at KQL and still not familiar with most operators, including join/union.
Ciyaresh Ah, well that is because the query you found in the link was made by the original creator, it is more of a test to see that it works.
I would probably do something like this;
let HighriskUsers = HighRiskUsers_CL
| distinct UserPrincipalName_s;
SecurityEvent
| where TargetAccount in (HighriskUsers)
| where EventID == "4624"Just make sure the custom log table usernames match with the SecurityEvent TargetAccount regarding upper/lower case. You can use the toupper/tolower function to make sure they match if they are not by default. I use the distinct operation to make sure i dont get duplicate values from the custom table.
stianhoydal Thank you, now I get it fully. works as you described!