This article will provide information to help you identify a record of an unusual event when analyzing logs.
You can view columns such as Behavior.SourceIP or Behavior.SourceUserName in the logs, which are provided through log enrichment. The values in the SourceIP or other columns in Behavior indicate that they are present in this list.
In the log example below, we can say that the IP address 192.168.250.184 is in the list of sources accessing a malicious IP address by looking at the Behavior.SourceIP column.
In the example log below, we can say that the user with Source.UserName:adminlgs is also in the Administrators list.
When we examine the Administrators list, we can say that it is a static list that includes users with admin privileges.