Sep 22 2021 09:39 AM
@Ciyaresh Ah, well that is because the query you found in the link was made by the original creator, it is more of a test to see that it works.
I would probably do something like this;
let HighriskUsers = HighRiskUsers_CL | distinct UserPrincipalName_s; SecurityEvent | where TargetAccount in (HighriskUsers) | where EventID == "4624"
Just make sure the custom log table usernames match with the SecurityEvent TargetAccount regarding upper/lower case. You can use the toupper/tolower function to make sure they match if they are not by default. I use the distinct operation to make sure i dont get duplicate values from the custom table.