Security

Identify admins being added to multiple groups in ad?

Explorer

My search is as follows:
(EventCode=4728 OR EventCode=4732 OR EventCode=4756) a_* (Group_Name= OR Group_Name= OR Group_Name=Group_Name3>

This search works well to identify when any admin account has been added to these groups. I want to know if I can extend this search to identify when 1 admin has been added to more than 1 of these groups. Any help would be appreciated.

0 Karma

Super Champion

try |stats dc(Group_Name) by account to count how many groups belong to the account types.

Esteemed Legend

Or maybe:

| stats values(Group_Name) AS Group_Names dc(Group_Name) AS Group_Name_count | where Group_Name_count>1
0 Karma