Comments

1 comment

Sort by Date Votes
  • Official comment
    Avatar
    Timothy MacDonald
    • Edited

    Looking for something that is not there can get a bit tricky. My suggestion would be:

    1. Create a query that creates a list of active group (parsed from the AD logs) and schedule it to save to an index once every X days. This will create a baseline that can be used later for comparison. 

    https://help.sumologic.com/Dashboards-and-Alerts/Alerts/08-Save-to-Index

    For example (note: you will likely need to add additional filters to this query to make sure you getting the activity you want.)


    _sourceCategory="Labs/Azure/AD" group
    | json "properties.additionalTargets[1].Name" as groupname
    | count by groupname
    | fields groupname

    2. Create a second query that filters the results based on the index created in the first query. This would be accomplished using the subquery operator. 

    https://help.sumologic.com/05Search/Subqueries

    For example something like this (assuming you saved the first query to an index called "groupbaseline": 

    _index=groupbaseline
    |where ! ([subquery:  _sourceCategory="Labs/Azure/AD" group
    | json "properties.additionalTargets[1].Name" as groupname
    | count by groupname
    | fields groupname | compose groupname ])

    This should return only those groups that existed in the baseline index but no longer appear in the current logs. 

    Please note that the above queries may need some slight tweaking to suit your use case. Also note that saving to an index creates additional ingest volume as new data is being generated and saved. 

    Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post