Jul 11 2022 10:58 AM
By using watchlists, you can import on-premises AD privileged users to Microsoft Sentinel and create analytics rules based on your needs. As this operation is manual and you need to make watchlist up to date, you must add or remove watchlist items when a specific user is added or removed to specific privileged group such as domain admins.
As a solution to this, we created a logic app to connect one of the on-premises server (not domain controller) with standard read-only user to gather privileged users, then update a watchlist based on this list.