Active Directory logs in AuditLog table

%3CLINGO-SUB%20id%3D%22lingo-sub-2585783%22%20slang%3D%22en-US%22%3EActive%20Directory%20logs%20in%20AuditLog%20table%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2585783%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI%20have%20an%20on-prem%20AD%20which%20is%20streaming%20the%20logs%20into%20Azure%20Sentinel.%26nbsp%3BI%20need%20to%20monitor%20couple%20of%20groups%20in%20the%20on-Prem%20AD%20%2C%20for%20activities%20like%20User%20Added%20or%20deleted.%20For%20this%20I%20am%20checking%20AuditLogs%20table%20in%20Sentinel.%20But%20I%20could%20not%20find%20these%20details%20in%20the%20table.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20find%20these%20details%20with%20the%20below%20parameters%20without%20any%20success.%3C%2FP%3E%3CP%3EOperationName%20%3D%20%22Import%22%3C%2FP%3E%3CP%3ETargetResources%20contains%3CDIRECTORYNAME%3E(As%20I%20have%20added%20a%20new%20user%20to%20the%20Directory%20%2C%20I%20am%20checking%20with%20the%20directory%20first%2C%20before%20I%20dig%20deep)%3C%2FDIRECTORYNAME%3E%3C%2FP%3E%3CP%3ECould%20you%20please%20advise%20if%20this%20is%20not%20the%20correct%20approach%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2585783%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

Hi,

I have an on-prem AD which is streaming the logs into Azure Sentinel. I need to monitor couple of groups in the on-Prem AD , for activities like User Added or deleted. For this I am checking AuditLogs table in Sentinel. But I could not find these details in the table. 

I am trying to find these details with the below parameters without any success.

OperationName = "Import"

TargetResources contains<DirectoryName>(As I have added a new user to the Directory , I am checking with the directory first, before I dig deep)

Could you please advise if this is not the correct approach

Thanks

 

0 Replies