topic Re: Get a the list of logged in users from Windows AD and alert when there is a new one. in Alerting

Get a the list of logged in users from Windows AD and alert when there is a new one.

bryan_araya — Fri, 24 Jan 2025 16:12:16 GMT

Hello

I need to know what ways exist to be able to get the list of logged in users on Windows host to create an alert when a new user log in the host.

I know, you can get a list of users in Windows using PowerShell, but no matter how much I look, I don't know if you can have a PowerShell extension to be able to inject the results into Dynatrace or is there another way to do it, for example using Windows logs.

Regards Bryan

Re: Get a the list of logged in users from Windows AD and alert when there is a new one.

Maheedhar_T — Mon, 27 Jan 2025 05:33:42 GMT

@bryan_araya ,
I'm suggesting this solution from whatever limited knowledge I have, you can ingest the log file C:\Windows\System32\winevt\Logs\Security.evtx to Dynatrace. Then using DQL you can filter out the standard users and say when a user apart from these set of users log-in create an alert.
Hope this helps.

Re: Get a the list of logged in users from Windows AD and alert when there is a new one.

bryan_araya — Mon, 27 Jan 2025 21:07:04 GMT

Actually what I need is something more complex but I wanted to start with something simple.

I know that you can do something similar with the Windows logs but what i need is the list of users of a host to compare it with the new users to see if any are new or have been modified users. This open an alert in Dynatrace if there is a change to the original list of users.

Re: Get a the list of logged in users from Windows AD and alert when there is a new one.

RohitBisht — Tue, 28 Jan 2025 00:59:13 GMT

This can be done as a 2-step process.
1. Ingest the logs - Solved: Custom Log Source - Windows Event Log - Dynatrace Community
2. Compare it with approved set of users list.
- If logs are on Grail, you can ingest the list as a log entry and then compare it using DQL. OR dynamically you can create the user dataset using this https://docs.dynatrace.com/docs/shortlink/data-source-commands#data and then compare it.

- If you don't have Grail yet or work in Dynatrace managed, you can use log processing rule's function FIELDS_ADD to compare, a sample below. You can use multiple such lines, but this is difficult to scale for a big list of users.

USING(INOUT username:STRING, content)

| FIELDS_ADD(UnknownUser: IF(username != 'XYZ',"NOT FOUND''))

Re: Get a the list of logged in users from Windows AD and alert when there is a new one.

Maheedhar_T — Tue, 28 Jan 2025 06:23:04 GMT

Instead of needing to make a dataset of current users, we can use DQL to check the number of Unique users at this point, create a metric of it using log enrichment and metric extraction.
Then whenever there's an increase on that number, we can create a metric event. That way we'd know someone new have logged in.