I would like to query multiple account's for the same event ID. I tried the syntax below, and it doesn't give me a syntax error, but when I test it there are no results.
SecurityEvent| where EventID in (4723, 4724)| where TargetAccount == "Domain\\Administrator" or
TargetAccount == "Domain\\ServiceAccount"
What is the correct syntax to use "or" with multiple accounts?
Even better, is it possible to use the "where" clause with OUs?
View best response
I assume that you only need to have the the or statement in the same line with the where clause and it should work.
However, I would prefer the following approach:
I've tried using "or" on the same line but it still doesn't work.
Can you explain the following part a little further?
Actually nevermind, I think I understand. Do you know if it's possible to target Active Directory OUs? Like for example:
SecurityEvent| where EventID in (4723, 4724)| where TargetOU == "CN=ServiceAccounts,OU=Company,OU=com"
This would make my life a lot easier.
Unfortunately I have no SecurityEvent entries in my workspace (we only have custom logs).
I used the datatable operator to simulate a similar input.