Hi Rodrigo,
if you have an example log line such as
{
“timestamp”: “2021-01-12T16:01:30.544Z”,
“source_user”: “jsmith admin”,
“target_user”: “jsmith admin”,
“source_user_domain”: “r7mslab.local”,
“target_user_domain”: “r7mslab.local”,
“action”: “MEMBER_ADDED_TO_SECURITY_GROUP”,
“source_account”: “jsmith_admin”,
“target_account”: “cn=jsmith admin,ou=admin_accounts,ou=administration,ou=r7mslab,dc=r7mslab,dc=local”,
“group”: “zonepolicytest”,
“group_scope”: “SECURITY_ENABLED_GLOBAL_GROUP”,
“group_domain”: “r7mslab”,
“source_json”: {
“eventCode”: 4728,
“computerName”: “R7MSLAB-DC01.R7MSLAB.local”,
“insertionStrings”: [
“CN=jsmith admin,OU=Admin_Accounts,OU=Administration,OU=R7MSLAB,DC=R7MSLAB,DC=local”,
“S-1-5-21-2587591228-874857867-111615119-1108”,
“ZonePolicyTest”,
“R7MSLAB”,
“S-1-5-21-2587591228-874857867-111615119-1125”,
“S-1-5-21-2587591228-874857867-111615119-1108”,
“jsmith_admin”,
“R7MSLAB”,
“0x1dcae44”,
“-”
],
“timeGenerated”: “20210112160130.544610-000”
}
}
and you wanted to have multiple groups you would build your query like
“action” = “MEMBER_ADDED_TO_SECURITY_GROUP” AND (“group” = “zonepolicytest” OR group=xyz OR “group”=/.*/ )
Its important to use parentheses when using AND’s and OR’s together.
A AND (B OR C)
Note in my example I have “group”=/.*/ this is regex notation for “any character any number of times” so it will include all results where the key “group” is equal to anything.
In order for your query to work it would need to be something like
action=“MEMBER_ADDED_TO_SECURITY_GROUP” AND group_scope=“SECURITY_ENABLED_DOMAIN_LOCAL_GROUP” AND (group=“account operators” OR group=“Backup Operators”)
if you wanted to also include the source_json.eventCode you would include that as a key comparison like
source_json.eventCode=4732 not group="source_json.eventCode … . . "
David