SOLVED

Storing static data in table to use in KQL

Occasional Contributor

Unable to maintain static/dynamic data sets for below sample use cases.

 

Use Cases:

 

  1. Increase in failed domain admin account logins detected
  2. Password change or rest on known privileged account
  3. Interactive login (Success or Failed) from Service Account

Ex: Interactive login (Success or Failed) from Service Account:

 

Ideally service accounts are used for application level integration. We need to trigger an alert if interactive/remote interactive login observed from service accounts.

 

Current work around: I have hard coded the all our service accounts in the KQL query. Which is not feasible in long run.

 

Challenge: If new service accounts are provisioned. We are missing monitoring on those service accounts until I add them in KQL Query.

 

Ask: Is there any workaround, KQL to get the data from storage account like blob / can I create table /AD using scripts on scheduled basis /store in log analytics.

 

Please help.

4 Replies
What I would do in that moment is add the service accounts to a specific group or use a unique attribute and filter your KQL query to that attribute

@Pavan_Gelli1910 You can create your own custom log table and add the entries there.  This page has a PowerShell script that shows you the steps.  It should be easy enough to modify for your needs or to use it as a basis for a different language.

 

https://gallery.technet.microsoft.com/PowerShell-script-to-0823e09d

 

best response confirmed by Pavan_Gelli1910 (Occasional Contributor)
This is really the best article to address my ask. Thanks
www.000webhost.com