cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Active Directory logs in AuditLog table

Singanna
Copper Contributor

‎Jul 26 2021 12:06 AM - last edited on ‎Jan 14 2022 04:01 PM by

‎Jul 26 2021 12:06 AM - last edited on ‎Jan 14 2022 04:01 PM by

Active Directory logs in AuditLog table

Hi,

I have an on-prem AD which is streaming the logs into Azure Sentinel. I need to monitor couple of groups in the on-Prem AD , for activities like User Added or deleted. For this I am checking AuditLogs table in Sentinel. But I could not find these details in the table. 

I am trying to find these details with the below parameters without any success.

OperationName = "Import"

TargetResources contains<DirectoryName>(As I have added a new user to the Directory , I am checking with the directory first, before I dig deep)

Could you please advise if this is not the correct approach

Thanks

 

802 Views
1 Like
2 Replies
Reply
2 Replies
best response confirmed by Singanna (Copper Contributor)
BilalelHadd

‎Oct 07 2021 06:15 AM

‎Oct 07 2021 06:15 AM

Solution

Re: Active Directory logs in AuditLog table

Hi @Singanna,

Did you try to run a query within Log Analytics to see the results? You could use the below command, for example, to show the members that are added to a security group.

search *

// Members added to security groups
// Who was added to security-enabled group over the last day?
// To create an alert for this query, click '+ New alert rule'
SecurityEvent
| where EventID in (4728, 4732, 4756) // these event IDs indicate a member was added to a security-enabled group
| summarize count() by SubjectAccount, Computer, _ResourceId
// This query requires the Security solution
1 Like
Reply
Singanna

‎Oct 13 2021 03:45 AM

‎Oct 13 2021 03:45 AM

Re: Active Directory logs in AuditLog table

Thanks Bilal for the response.
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Singanna (Copper Contributor)
BilalelHadd

‎Oct 07 2021 06:15 AM

‎Oct 07 2021 06:15 AM

Solution

Re: Active Directory logs in AuditLog table

Hi @Singanna,

Did you try to run a query within Log Analytics to see the results? You could use the below command, for example, to show the members that are added to a security group.

search *

// Members added to security groups
// Who was added to security-enabled group over the last day?
// To create an alert for this query, click '+ New alert rule'
SecurityEvent
| where EventID in (4728, 4732, 4756) // these event IDs indicate a member was added to a security-enabled group
| summarize count() by SubjectAccount, Computer, _ResourceId
// This query requires the Security solution

View solution in original post

1 Like
Reply