SOLVED

Active Directory logs in AuditLog table

%3CLINGO-SUB%20id%3D%22lingo-sub-2585783%22%20slang%3D%22en-US%22%3EActive%20Directory%20logs%20in%20AuditLog%20table%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2585783%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI%20have%20an%20on-prem%20AD%20which%20is%20streaming%20the%20logs%20into%20Azure%20Sentinel.%26nbsp%3BI%20need%20to%20monitor%20couple%20of%20groups%20in%20the%20on-Prem%20AD%20%2C%20for%20activities%20like%20User%20Added%20or%20deleted.%20For%20this%20I%20am%20checking%20AuditLogs%20table%20in%20Sentinel.%20But%20I%20could%20not%20find%20these%20details%20in%20the%20table.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20find%20these%20details%20with%20the%20below%20parameters%20without%20any%20success.%3C%2FP%3E%3CP%3EOperationName%20%3D%20%22Import%22%3C%2FP%3E%3CP%3ETargetResources%20contains%3CDIRECTORYNAME%3E(As%20I%20have%20added%20a%20new%20user%20to%20the%20Directory%20%2C%20I%20am%20checking%20with%20the%20directory%20first%2C%20before%20I%20dig%20deep)%3C%2FDIRECTORYNAME%3E%3C%2FP%3E%3CP%3ECould%20you%20please%20advise%20if%20this%20is%20not%20the%20correct%20approach%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2585783%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2822192%22%20slang%3D%22en-US%22%3ERe%3A%20Active%20Directory%20logs%20in%20AuditLog%20table%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2822192%22%20slang%3D%22en-US%22%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1084070%22%20target%3D%22_blank%22%3E%40Singanna%3C%2FA%3E%2C%3CBR%20%2F%3E%3CBR%20%2F%3EDid%20you%20try%20to%20run%20a%20query%20within%20Log%20Analytics%20to%20see%20the%20results%3F%20You%20could%20use%20the%20below%20command%2C%20for%20example%2C%20to%20show%20the%20members%20that%20are%20added%20to%20a%20security%20group.%3CBR%20%2F%3E%3CBR%20%2F%3Esearch%20*%3CBR%20%2F%3E%3CBR%20%2F%3E%2F%2F%20Members%20added%20to%20security%20groups%3CBR%20%2F%3E%2F%2F%20Who%20was%20added%20to%20security-enabled%20group%20over%20the%20last%20day%3F%3CBR%20%2F%3E%2F%2F%20To%20create%20an%20alert%20for%20this%20query%2C%20click%20'%2B%20New%20alert%20rule'%3CBR%20%2F%3ESecurityEvent%3CBR%20%2F%3E%7C%20where%20EventID%20in%20(4728%2C%204732%2C%204756)%20%2F%2F%20these%20event%20IDs%20indicate%20a%20member%20was%20added%20to%20a%20security-enabled%20group%3CBR%20%2F%3E%7C%20summarize%20count()%20by%20SubjectAccount%2C%20Computer%2C%20_ResourceId%3CBR%20%2F%3E%2F%2F%20This%20query%20requires%20the%20Security%20solution%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2841391%22%20slang%3D%22en-US%22%3ERe%3A%20Active%20Directory%20logs%20in%20AuditLog%20table%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2841391%22%20slang%3D%22en-US%22%3EThanks%20Bilal%20for%20the%20response.%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

I have an on-prem AD which is streaming the logs into Azure Sentinel. I need to monitor couple of groups in the on-Prem AD , for activities like User Added or deleted. For this I am checking AuditLogs table in Sentinel. But I could not find these details in the table. 

I am trying to find these details with the below parameters without any success.

OperationName = "Import"

TargetResources contains<DirectoryName>(As I have added a new user to the Directory , I am checking with the directory first, before I dig deep)

Could you please advise if this is not the correct approach

Thanks

 

2 Replies
best response confirmed by Singanna (Occasional Contributor)
Solution
Hi @Singanna,

Did you try to run a query within Log Analytics to see the results? You could use the below command, for example, to show the members that are added to a security group.

search *

// Members added to security groups
// Who was added to security-enabled group over the last day?
// To create an alert for this query, click '+ New alert rule'
SecurityEvent
| where EventID in (4728, 4732, 4756) // these event IDs indicate a member was added to a security-enabled group
| summarize count() by SubjectAccount, Computer, _ResourceId
// This query requires the Security solution
Thanks Bilal for the response.