Jun 20 2018
10:42 AM
- last edited on
Apr 07 2022
05:12 PM
by
TechCommunityAP
Jun 20 2018
10:42 AM
- last edited on
Apr 07 2022
05:12 PM
by
TechCommunityAP
I would like to query multiple account's for the same event ID. I tried the syntax below, and it doesn't give me a syntax error, but when I test it there are no results.
SecurityEvent
| where EventID in (4723, 4724)
| where TargetAccount == "Domain\\Administrator" or
TargetAccount == "Domain\\ServiceAccount"
What is the correct syntax to use "or" with multiple accounts?
Even better, is it possible to use the "where" clause with OUs?
Jun 22 2018 05:14 AM
SolutionI assume that you only need to have the the or statement in the same line with the where clause and it should work.
However, I would prefer the following approach:
Jun 22 2018 07:29 AM
I've tried using "or" on the same line but it still doesn't work.
Can you explain the following part a little further?
Jun 22 2018 07:38 AM
Actually nevermind, I think I understand. Do you know if it's possible to target Active Directory OUs? Like for example:
SecurityEvent
| where EventID in (4723, 4724)
| where TargetOU == "CN=ServiceAccounts,OU=Company,OU=com"
This would make my life a lot easier.
Jun 22 2018 07:47 AM
Unfortunately I have no SecurityEvent entries in my workspace (we only have custom logs).
I used the datatable operator to simulate a similar input.
Jun 22 2018 05:14 AM
SolutionI assume that you only need to have the the or statement in the same line with the where clause and it should work.
However, I would prefer the following approach: