Forum Discussion
Storing static data in table to use in KQL
Unable to maintain static/dynamic data sets for below sample use cases.
Use Cases:
- Increase in failed domain admin account logins detected
- Password change or rest on known privileged account
- Interactive login (Success or Failed) from Service Account
Ex: Interactive login (Success or Failed) from Service Account:
Ideally service accounts are used for application level integration. We need to trigger an alert if interactive/remote interactive login observed from service accounts.
Current work around: I have hard coded the all our service accounts in the KQL query. Which is not feasible in long run.
Challenge: If new service accounts are provisioned. We are missing monitoring on those service accounts until I add them in KQL Query.
Ask: Is there any workaround, KQL to get the data from storage account like blob / can I create table /AD using scripts on scheduled basis /store in log analytics.
Please help.
Pavan_Gelli1910 Just saw this timely post on the Azure Sentinel blog page. Could help.
Pavan_Gelli1910 Just saw this timely post on the Azure Sentinel blog page. Could help.
- This is really the best article to address my ask. Thanks
Pavan_Gelli1910 You can create your own custom log table and add the entries there. This page has a PowerShell script that shows you the steps. It should be easy enough to modify for your needs or to use it as a basis for a different language.
https://gallery.technet.microsoft.com/PowerShell-script-to-0823e09d
- What I would do in that moment is add the service accounts to a specific group or use a unique attribute and filter your KQL query to that attribute
