Jan 23 2020
05:44 AM
- last edited on
Apr 08 2022
10:15 AM
by
TechCommunityAP
Jan 23 2020
05:44 AM
- last edited on
Apr 08 2022
10:15 AM
by
TechCommunityAP
Hi,
I want to setup a query and create an alert for (failed) signin attempts of multiple service accounts. I collect the signin attempts in Log Analytics and use this query to filter:
SigninLogs | where OperationName == "Sign-in activity" | where UserPrincipalName == "auobrien.david@outlook.com"
The problem is, I want to use this for multiple service accounts and I can't use a wildcard like auobrien.*@outlook.com for example. Any idea's on how to specify multiple accounts or do I have to create a query for each account I want to monitor?
Jan 23 2020 03:02 PM
@marwedit, would something like this be OK?
SigninLogs
| where OperationName == "Sign-in activity" and UserPrincipalName in~ ('auobrien.david@outlook.com','john.doe@outlook.com','mary.jones@outlook.com')
Jan 24 2020 06:25 AM
@hspinto Thanks for the reply! I tried it and it works great. Thanks! This tackles the multiple query problem since I can put multiple users in one. One more question. Do you know of a way I could enter a wildcard in the filter so new service accounts (svc_*) are automatically added? When I replace part of the username with * it just ignores it.
Jan 24 2020 08:56 AM
Solution@marwedit, you just have to add a different condition to the query:
SigninLogs
| where OperationName == "Sign-in activity" and (UserPrincipalName in~ ('auobrien.david@outlook.com','john.doe@outlook.com','mary.jones@outlook.com') or UserPrincipalName startswith "svc_")
See here a full list of the string operators you can use.
Hope that helps!
Jan 24 2020 11:02 AM
@hspinto Thanks for the help and the link. This is exactly what I was looking for.
Jan 24 2020 08:56 AM
Solution@marwedit, you just have to add a different condition to the query:
SigninLogs
| where OperationName == "Sign-in activity" and (UserPrincipalName in~ ('auobrien.david@outlook.com','john.doe@outlook.com','mary.jones@outlook.com') or UserPrincipalName startswith "svc_")
See here a full list of the string operators you can use.
Hope that helps!