This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Get a the list of logged in users from Windows AD and alert when there is a new one.

bryan_araya
Participant

‎24 Jan 2025 04:12 PM

Hello

I need to know what ways exist to be able to get the list of logged in users on Windows host to create an alert when a new user log in the host.

I know, you can get a list of users in Windows using PowerShell, but no matter how much I look, I don't know if you can have a PowerShell extension to be able to inject the results into Dynatrace or is there another way to do it, for example using Windows logs.

Regards Bryan

Labels:
Reply
4 REPLIES 4

Maheedhar_T
Mentor

‎27 Jan 2025 05:33 AM

@bryan_araya ,
I'm suggesting this solution from whatever limited knowledge I have, you can ingest the log file C:\Windows\System32\winevt\Logs\Security.evtx to Dynatrace. Then using DQL you can filter out the standard users and say when a user apart from these set of users log-in create an alert.
Hope this helps.

Maheedhar
Reply

bryan_araya
Participant
In response to Maheedhar_T

‎27 Jan 2025 09:07 PM

Hi

Actually what I need is something more complex but I wanted to start with something simple.

I know that you can do something similar with the Windows logs but what i need is the list of users of a host to compare it with the new users to see if any are new or have been modified users. This open an alert in Dynatrace if there is a change to the original list of users.

0 Kudos
Reply

RohitBisht
Dynatrace Advisor
Dynatrace Advisor

‎28 Jan 2025 12:59 AM

This can be done as a 2-step process.
1. Ingest the logs - Solved: Custom Log Source - Windows Event Log - Dynatrace Community
2. Compare it with approved set of users list.
       - If logs are on Grail, you can ingest the list as a log entry and then compare it using DQL. OR dynamically you can create the user dataset using this https://docs.dynatrace.com/docs/shortlink/data-source-commands#data and then compare it.

       - If you don't have Grail yet or work in Dynatrace managed, you can use log processing rule's function FIELDS_ADD to compare, a sample below. You can use multiple such lines, but this is difficult to scale for a big list of users.
         

USING(INOUT username:STRING, content)

| FIELDS_ADD(UnknownUser: IF(username != 'XYZ',"NOT FOUND''))

RB
0 Kudos
Reply

Maheedhar_T
Mentor
In response to RohitBisht

‎28 Jan 2025 06:23 AM

Instead of needing to make a dataset of current users, we can use DQL to check the number of Unique users at this point, create a metric of it using log enrichment and metric extraction.
Then whenever there's an increase on that number, we can create a metric event. That way we'd know someone new have logged in.

Maheedhar
Reply
Ask a question

Featured Posts